The LLM Mirage: Economic Interests and the Subversion of Weaponization Controls

The performance of AI models reflects the interaction of data, algorithms, and compute. The research community has long debated which input matters most in practice. However, a sequence of empirical regularities made compute scaling feel unusually reliable for producing broad, general-purpose performance. That perception matters because it later became the intellectual justification for treating compute as both a research input and a national security lever.

Early work emphasized data. Halevy, Norvig, and Pereira (Halevy et al., 2009) highlighted the “unreasonable effectiveness” of data. Sufficiently large datasets can allow comparatively simple methods to perform well. They asserted that while hand-crafted improvements to algorithms matter, more predictable gains can be acquired by scaling the amount of data simple algorithms operate on top of. For governance, this reinforced the idea that “frontier progress” could be summarized by a single dominant input when measurement and enforcement demanded simplification.

Further, Sutton’s “Bitter Lesson” (Sutton, 2019) observed that over long horizons, general learning methods that leverage search absorb more computation and more experience, which then outperform approaches that rely on specialized human insight. In practice, this argument reinforced a research strategy that prioritized scalable training pipelines and general architectures. It also nudged the field toward a view in which algorithmic novelty matters, but scaling is the metronome of progress. In the dominant “frontier” governance conversations, The Bitter Lesson shifted the default story from algorithmic ingenuity to computational scale.

Deep learning researchers formalized these intuitions through research establishing empirical scaling relationships. Researchers at Baidu articulated power-law behavior showing that performance can scale predictably with increases in model size and training data (Hestness et al., 2017). Work from OpenAI extended and popularized this idea for Transformer-based models, establishing correlations among model size, dataset size, and training compute (measured in petaFLOPs) (Kaplan et al., 2020). In sum, these works showed that systematic gains could be achieved by increasing scale across multiple dimensions in tandem—and that compute budgets offered the most predictive measure of that scale.

Later results refined the perception. Work on the Chinchilla family of models argued that given a fixed compute budget, there is a compute-optimal tradeoff between parameters and training tokens (Hoffmann et al., 2022). This strengthened a practical belief that compute allocations govern the feasible frontier. If one can secure large compute budgets and allocate them efficiently, one can reach higher performance with some predictability. In parallel, the assertion of “emergent abilities”—capabilities that appear in large models but are absent in smaller ones and are not straightforwardly predictable from extrapolation—added urgency to the notion of threshold effects (Wei et al., 2022). If some capabilities arrive discontinuously, then it becomes politically and strategically natural to fear “crossing the line,” and to treat reaching (or denying) the compute needed to cross that line as central. In aggregate, the discourse around scaling laws turned compute budgets into an unusually legible single-number summary of “frontier-ness,” despite a deeply complex underlying causal.

At the same time, researchers contested the scaling paradigm even as it hardened into orthodoxy. Prior work has warned that equating parameter count or training compute with reasoning capability is a category error (Hooker, 2024; Gupta et al., 2024a). Related critiques emphasized the lack of semantic understanding in purely statistical language models, the measurement validity problems associated with the correlation of benchmark performance with competence, and even the environmental costs and externalities of large-scale training (Bender et al., 2021; Narayanan and Kapoor, 2024). These critiques emphasize that even if scale is correlated with some forms of performance in frontier LLM development, scale itself is not a stable substitute for understanding what a system can actually do in context, or what harms it can enable.

Against this technical backdrop, national security actors began translating ML intuitions into policy. Ben Buchanan labeled data, algorithms, and compute as the “AI Triad” and argued that compute offered the United States a uniquely durable asymmetric advantage because advanced semiconductors are concentrated and exportable (Buchanan, 2020). In his framework, data was comparatively “overvalued and overhyped” as a strategic choke point, while compute was portrayed as enforceable leverage. This interpretation proved influential because it aligned with both the scaling narrative (compute as frontier shorthand) and the institutional realities of enforcement (chips as inspectable, licensable objects). But it also set up the central substitution this paper critiques: the move from “compute is a practical bottleneck for frontier research” to “compute is a proxy for weaponization risk.”

Compute’s legibility as a shorthand made it easy to translate into policy. Intent, deployment context, and downstream weaponization vectors are hard to measure and even harder to govern. Compute is measurable. It can be linked to physical supply chains, licensing regimes, and reporting requirements. As a result, U.S. AI security policy increasingly defined the “frontier” through input thresholds—training FLOPs, cluster size, and chip performance—instead of observed effects in real-world operational settings.

This translation is visible in President Biden’s Executive Order 14110 (White House, 2023). The order institutionalized a focus on scaling by creating a regulatory framework centered on “dual-use foundation models,” defined as AI models that pose serious national security risks. Critically, it defined the frontier through high-water marks tied to model size and compute, rather than a task-based assessment. The order established a bright-line threshold for models trained with more than $10^{26}$ integer or floating-point operations and noted that covered models contain “at least tens of billions of parameters.” The order justified this focus by pointing to CBRN and cyber risks, including lowering barriers for non-experts to design or use CBRN weapons and enabling powerful offensive cyber operations. In other words, the governance logic was effects-motivated, but the regulatory trigger was input-oriented.

The Department of Commerce’s export controls further reinforced the same logic. The October 2022 controls restricted high-end chips and related technologies (Bureau of Industry and Security, 2022). These controls aimed to slow China’s military modernization by limiting access to the hardware underpinning advanced AI. Again, the frontier of AI hardware was defined through quantitative performance thresholds, specifically total processing power and high-speed interconnect bandwidth, that can be enforced through licensing and shipment controls. This effectively treated cutting-edge compute as the primary strategic chokepoint, privileging control of the newest and most powerful chips as a pathway to controlling advanced AI systems.

The January 2025 “Framework for Artificial Intelligence Diffusion” extended the compute-centric approach beyond hardware into the governance of model distribution (Bureau of Industry and Security, 2025b). The framework sought to manage the global spread of advanced AI by regulating both high-end chips and the export of trained model weights. It proposed a tiered system in which trusted allies received streamlined access, nations of concern faced strict denials, and other countries were assigned compute-based quotas. Yet, despite this geographically differentiated architecture, the framework retained compute as its definitional core. The amount of training compute primarily determined which models triggered restrictions rather than by demonstrated use conditions and effects.

Compute thresholds do more than provide a proxy measurement for risk; they operationalize a theory of what risk is. Quantification makes some phenomena legible to governance while pushing others to the margins (Espeland and Stevens, 2008; Merry, 2016). In the context of AI security, defining the “frontier” through training FLOPs, chip performance, or cluster scale privileges what can be inspected at ports and audited in data centers over intent, operational integration, doctrine, and effects in context.

Thresholds also function as classification systems. Once a rule sorts systems into regulated and unregulated categories, those categories take on institutional reality even when the underlying harms are heterogeneous and contingent (Bowker and Star, 2000). The proxy becomes especially brittle when it is treated as the object of governance rather than as a partial indicator of a broader construct.

This is a familiar failure mode in metric-centered regulation. When a measure becomes a target, actors game it in ways that weaken its relationship to the construct it was meant to represent. Industry-funded safety benchmarks can become a form of "transparency theater" (Douek, 2022; Raji et al., 2022), where compute-centric audits allow incumbents to self-grade while excluding the public from defining what counts as a risk. In AI security policy, that gap has significant effects. Weaponization depends on capability, intent, and deployment context, not on a single scalar input. Treating compute as a one-number proxy invites both false negatives (harmful systems below the threshold) and false positives (high-compute systems outside weaponization pathways).

Finally, measurement choices reallocate influence. When compliance and evaluation hinge on assets controlled by a small set of firms, those firms gain structural agenda-setting power over what evidence is produced, what risks are treated as salient, and what oversight is considered feasible (Wei et al., 2025). Where evaluators lack meaningful access and must rely on firm-mediated interfaces, the most “auditable” actors can shape what gets audited and how (Terzis et al., 2024; Young et al., 2022).

Compute-linked controls translated diffuse national security concerns into an administrable rule. That translation, however, still leaves Washington without a testable target condition for what the rules are meant to stop. In that gap, justification can drift from threat mitigation toward industrial competitiveness, ultimately resulting in negotiation over infrastructure.

The rescission of the diffusion framework illustrates this dynamic. Commerce emphasized burdens on U.S. industry and effects on diplomacy rather than engaging the concrete weaponization risks and use cases the rule was meant to constrain (Bureau of Industry and Security, 2025a). Infrastructure-focused governance, which is inherently tied to large capital investments, makes it easy for invested parties to pivot the debate towards deals and industrial advantage over evidence of capability and use.

Indeed, the rollback did not stop at the reversal of the AI Diffusion Framework. In December 2025, the Trump administration authorized exports of NVIDIA’s high-end H200-class AI accelerators to approved customers in China under a revenue-sharing arrangement (Nellis et al., 2025; Hawkins et al., 2025). Because the policy community never operationally specified “weaponization,” no stable evidentiary burden constrained its reversal. Instead, the debate became a negotiation over private sector interests and competitiveness rather than a test of credible misuse scenarios, and “security” became a label attached to whatever threshold was convenient.

Beyond instability, the more significant strategic cost of the LLM Mirage is misplaced reassurance. A compute-defined perimeter can look stringent while leaving open the pathways that matter for operational weaponization. Two patterns are already visible: (1) capability advances through algorithmic efficiency on export-compliant hardware; and (2) weaponizable task-specific systems that sit well below “frontier” thresholds.

First, Chinese firms have trained state-of-the-art models such as Hunyuan-Large (Sun et al., 2024) and DeepSeek-R1 (DeepSeek-AI et al., 2025) on export-control-compliant GPUs by leveraging common modeling and training techniques (Gupta et al., 2024c). In that setting, static hardware thresholds constrain headline infrastructure without reliably bounding the development of weapons.

Second, specialized systems can deliver militarily salient effects without frontier compute. The Ukrainian military is deploying small models with millions of parameters ($\sim 1000\times$ smaller than the smallest LLMs) on modest hardware (NVIDIA Jetson Orins, roughly 14$\times$ less powerful than an NVIDIA H200) at scale (Bondar, Thu, 03/06/2025 - 12:00). On the other side of the world, the Chinese-origin Zhousidun dataset was created to train an object detection model designed to identify and target radar and missile components on U.S. and allied naval destroyers (Gupta et al., 2024b). These cases are exemplars of pathways a compute-centric regime tends to underweight.

Together, these patterns point to a measurement problem more so than an enforcement problem. Governing weaponization requires evaluating demonstrated performance and use conditions, not assuming that compute levels delimit operational risk.

Tiered export regimes and compute thresholds sort countries, firms, and research institutions by their position in supply chains and alliance networks rather than by demonstrated weaponization pathways. The diffusion framework’s tier architecture made this explicit by creating differentiated access to advanced chips and model assets across geopolitical categories, with many destinations governed through quantitative caps rather than capability-specific evidence. Within the United States and allied ecosystems, compute-triggered compliance costs also scale with organizational capacity. Large firms can absorb reporting, secure facilities, and evaluator engagement; smaller labs and public-interest researchers often cannot.

The LLM Mirage enforces a specific geopolitical epistemology of security. In international relations, “securitization” occurs when an issue is framed as an existential threat to justify extraordinary measures—such as the compute-centric export controls and diffusion frameworks analyzed in this paper (Buzan et al., 1998). In the context of AI, this securitization is predominantly led by Global North institutions, which define “safety” and “security” through the lens of frontier parity and existential risk.

Current governance regimes rely on a security-through-scarcity model. However, for nations in the Global South, this safety manifests as enforced technological underdevelopment (Safir et al., 2025). When compute thresholds are set as the primary trigger for regulatory oversight, they become a barrier to entry for local innovation, effectively forcing dependency on Global North software-as-a-service or infrastructure-as-a-service offerings.

Global South populations face immediate, task-specific weaponization and surveillance risks which the LLM Mirage overlooks. As non-LLM-based surveillance tools are exported to African, Southeast Asian, and Latin American states (Jili, 2025) under the guise of technological partnership, they create new paradigms of strategic vulnerability and eroded algorithmic sovereignty. In these contexts, security is a lived reality of automated over-policing, biometric exclusion, and the suppression of political dissent facilitated by imported AI systems that operate without local accountability or contextual relevance (Heeks, 2020).

We propose the following definition:

AI weaponization is the intentional employment or objective immediate capability of an artificial intelligence system to cause physical, digital, or psychological harm, to create an asymmetric advantage in conflict, or to materially facilitate such effects.

This intent-and-capability standard proposed above is preferable because it abandons domestic statutes’ input-based regulation in favor of the epistemological framework of International Humanitarian Law (IHL) (Diplomatic Conference on the Reaffirmation and Development of International Humanitarian Law applicable in Armed Conflicts, 1977). While domestic laws and export control regimes frequently define weapons by their physical mechanisms—such as firearms that “expel a projectile by the action of an explosive”—the law of armed conflict offers a more sophisticated, effects-based standard. IHL recognizes that the legal and strategic significance of a weapon lies not in its material form, but in the effects it produces and the manner in which it is used. Unlike a tank or a missile, an AI system’s weaponization potential is rooted more in its operational integration than its hardware footprint.

Under IHL, states regulate weapons not simply as objects, but as means and methods of warfare. This distinction, embedded in Additional Protocol I to the Geneva Conventions, directs legal scrutiny toward whether a weapon or method of warfare is capable of being employed in compliance with core principles such as distinction, proportionality, and military necessity. Article 36 weapons reviews, in particular, require states to assess whether the use of a new weapon, means, or method of warfare would be prohibited under international law. Such assessments eschew physical composition alone and instead additionally encompass effects, foreseeable use, and operational context.

This framing accommodates non-traditional weapons. States regulate chemical and biological agents, cyber capabilities, and certain forms of information operations not because of their physical characteristics, but because of their effects on combatants, civilians, and the conduct of hostilities (Price, 1995; Tannenwald, 1999; Bentley, 2024; Mueller, 2003). A virus can be a weapon; code can be a weapon; a commercial system can become a weapon through either an intended or unintended use. What matters under IHL is not whether harm is delivered kinetically, but whether a tool is intentionally employed to cause damage or gain military advantage in a manner that implicates humanitarian protections.

Weapons law scholars have developed extensive frameworks for applying IHL’s principles of distinction and proportionality to novel means of warfare, such as autonomous systems (Schmitt and Thurnher, 2013), demonstrating that effects-based legal review is both required and practically implementable even when a system lacks conventional physical form (Corn, 2014).

Artificial intelligence systems fit squarely within this effects-based legal tradition. An AI model is not a weapon by virtue of its architecture or training compute, but it can become one through the intentional development, modification, or deployment of the system to produce military effects. An AI system used for automatic target recognition, autonomous navigation of munitions, cyber exploitation, or large-scale psychological operations functions as a means of warfare regardless of whether it is embedded in a missile, a drone, or a data center (Burton and Soare, 2019; Lin, 2025; Schwartz and Horowitz, 2025; Kahn, 2024). Treating such systems as outside the scope of weapons regulation because they lack a conventional physical form misreads both the letter and the spirit of IHL.

This emphasis on effects instead of platforms is mirrored in contemporary military doctrine. U.S. joint doctrine—and Air Force doctrine in particular—explicitly frames warfare as “effects-based,” prioritizing outcomes over delivery mechanisms (Deptula, 2001). Whether a target is neutralized by a manned aircraft, an uncrewed system, or a cyber operation is operationally secondary to the effect achieved. Modern joint warfighting is organized around integrating capabilities across domains to produce desired strategic results, not around the intrinsic properties of individual platforms.

Current compute-centric AI governance sits uneasily with IHL’s effects-based logic and risks leaving genuinely weaponized AI systems outside meaningful regulatory scrutiny while over-regulating benign technologies. Indeed, pushing the frontier should be encouraged rather than discouraged from a technology competitiveness perspective. A durable framework for AI governance should therefore align with the established principles of the law of armed conflict and regulate AI systems based on their intended use and foreseeable effects, not the hardware on which they are trained.

The necessity of an effects-based definition of weaponization becomes clear when viewed through the lens of cost-of-force exchange ratios (Fowler and Cason, 1997). In contemporary great-power competition, strategic advantage increasingly accrues not to the actor fielding the most exquisite platforms, but to the actor that can impose unfavorable exchange ratios on its adversary over time. Artificial intelligence represents one technology (in tandem with others) that is rapidly changing this dynamic by enabling relatively inexpensive systems to identify, target, and destroy far more costly ones (Mazarr, 2023).

Modern conflict increasingly revolves around attrition under conditions of technological asymmetry, even among advanced militaries. Today’s militaries are increasingly seeking to leverage low-cost, AI-enabled unmanned systems, often assembled from commercial components and guided by relatively simple models (Scharre, 2019), to destroy far more expensive systems, whether tanks, air defense systems, or aircraft carriers costing orders of magnitude more. In many cases, the strategic effect is not the individual tactical loss, but the cumulative erosion of force structure and the unsustainable economics imposed on the defender (Horowitz, 2019). When a system costing thousands of dollars can reliably destroy one costing millions, traditional assumptions about deterrence, escalation control, and military modernization break down.

For the United States, whose force structure is heavily weighted toward high-end, capital-intensive platforms—aircraft carriers, fifth-generation fighters, advanced missile defense systems, and its nuclear arsenal—this dynamic is particularly dangerous (Smith, 2022). The strategic risk is not that adversaries will outcompete the United States in building more exquisite systems, but that they will instead exploit AI-enabled sensing, targeting, and coordination to make U.S. platforms increasingly vulnerable to cheaper means of attack (Eslami et al., 2025). In this context, the most consequential AI applications are not frontier large language models, but task-specific systems that compress the operational timeline: automatic target recognition, sensor fusion, trajectory optimization, and real-time battle damage assessment.

This logic fundamentally challenges compute-centric AI governance (Robinson, 2025; Hatz, 2025; Kop, 2025; Chesterman, 2024; Emery-Xu et al., 2025). Weaponization, particularly in a great-power context, is not defined by the sophistication or scale of an AI system in isolation, but by its ability to alter force-exchange dynamics. A small, specialized model that improves the probability of kill for a loitering munition, or that enables cooperative targeting among swarms of inexpensive drones, can have greater strategic impact than a vastly more powerful general-purpose model used for benign applications. What matters is whether AI lowers the marginal cost of imposing damage on an adversary’s most valuable assets.

Importantly, this dynamic does not require technological parity. Adversaries need not match U.S. investment in compute, data centers, or frontier models to achieve destabilizing effects. They need only achieve sufficient capability to exploit vulnerabilities in U.S. force design and acquisition assumptions. AI accelerates learning, iteration, and adaptation, allowing militaries to rapidly refine tactics and systems that optimize for unfavorable exchange ratios. This is precisely why focusing regulatory attention on the apex of the AI ecosystem obscures the systems most likely to be weaponized in practice.

Viewed through this lens, the defining characteristic of system as a weapon depends on its ability to shift the economics of conflict, a functional reality that remains independent of its underlying computational pedigree. An AI system is strategically significant if it allows one actor to destroy, disable, or neutralize an adversary’s forces at a fraction of the cost the adversary must pay to defend or replace them.

A regulatory framework that ignores this reality—by equating risk with model scale or training compute—will fail to address the most probable pathways through which AI reshapes great-power military competition. From our perspective, this is a significant blindspot in the contemporary policy discussions.

The first step is to develop a granular taxonomy of high-risk capabilities grounded in concrete national security concerns. While not exhaustive, three categories illustrate the most salient risks motivating contemporary AI policy: CBRN proliferation, offensive cyber operations, and autonomous or semi-autonomous military functions (particularly where there are kinetic effects).

In the CBRN domain, the primary concern is not passive information access but the use of generative and optimization-based models to design novel toxic chemicals or biological agents with tailored properties (Barrett et al., 2024; Kumar et al., 2025). Prior research (Urbina et al., 2022) has demonstrated that AI systems developed for drug discovery can be readily repurposed to generate thousands of potentially lethal compounds, including many that fall outside existing regulatory watchlists. The risk lies not in factual recall, but in procedural enablement, i.e., compressing expertise, accelerating iteration, and lowering barriers to synthesis.

In offensive cyber operations, high-risk capabilities include the use of AI agents to identify vulnerabilities in large codebases, discover zero-day exploits, or autonomously generate functional exploit code (Sinha et al., 2025). These tasks directly reduce the time, skill, and organizational capacity required to conduct sophisticated cyber attacks (Anthropic, 2025), with clear implications for critical infrastructure and military networks.

Military-relevant weaponization includes capabilities such as automatic target recognition in cluttered or degraded environments, autonomous navigation and coordination under adversarial conditions, and large-scale generation of tailored propaganda or deepfakes intended to erode public trust or manipulate decision-making. These functions are destabilizing in part because they operate in gray-zone contexts below traditional thresholds of armed conflict.

Identifying such capabilities is a necessary first step which further requires measurement. This, in turn, demands a suite of concrete, task-specific benchmarks. In this framework, a benchmark is a controlled evaluation defined by four components: the datasets used, the performance metrics applied, the operational context of the test, and the hardware on which the system is evaluated. Since benchmarks can become de facto policy instruments, they should be treated as measurement claims rather than as neutral tests. Each benchmark should make explicit what construct it is intended to measure (and what it does not), what forms of external validity are plausible, and how results should or should not generalize across deployment conditions.

For example, a CBRN benchmark would not ask whether a model can describe a nerve agent, but whether it can design a novel toxic molecule or propose a viable synthesis pathway. Evaluation would draw on established chemical and biological databases (e.g., ZINC, PubChem) and assess outputs using effects-based metrics such as predicted toxicity, novelty, and synthesis feasibility (Mouton et al., 2024). Contextual variation—such as access to external simulation tools or deployment on commodity hardware—would test whether dangerous capabilities emerge outside frontier compute environments.

Similarly, cyber benchmarks would evaluate a model’s ability to generate working exploits in sandboxed environments using vulnerable codebases like the Juliet Test Suite (Richardson, 2025). Performance would be measured by time-to-discovery and exploit success rates under realistic access constraints (e.g., black-box versus white-box conditions) rather than descriptive accuracy.

In the military domain, benchmarks could assess automatic target recognition or autonomous coordination using imagery datasets such as xView (Lam et al., 2018) or high-fidelity simulators. Metrics would be tied to mission-relevant outcomes—e.g., precision and recall under sensor degradation, robustness to electronic warfare conditions, or task completion despite simulated losses—instead of laboratory accuracy alone.

By evaluating how specific combinations of data, algorithms, and compute translate into real-world effects, this benchmark-driven approach replaces static proxies like FLOPs with direct evidence of risk. Further, it allows regulators to identify weaponizable capabilities regardless of whether they arise from frontier-scale models or small, specialized systems trained on curated data.

Early efforts in this direction already exist. The Weapons of Mass Destruction Proxy (WMDP) benchmark, for instance, assesses whether models contain hazardous domain knowledge across biosecurity, chemical security, and cybersecurity (Li et al., 2024). However, WMDP primarily measures knowledge acquisition, not procedural competence. A model can correctly answer detailed questions about chemical precursors without being able to design a viable synthesis route or delivery mechanism. For regulatory purposes, this distinction is decisive. Governance frameworks must therefore move beyond asking what models know to rigorously testing what they can do. Conversely, others have built crisis simulations that measure the adherence of LLMs towards IHL principles, but stop short of building a reproducible evaluation (Drinkall, 2025).

Any actor seeking to deploy or export advanced capabilities along any axis of the AI triad should be required to demonstrate that those capabilities do not materially increase risk. We propose a regulatory framework that evaluates how specific combinations of resources translate into concrete, weaponizable capabilities.

For hardware manufacturers, export licensing for new compute platforms would be contingent on providing limited access to the relevant hardware for controlled evaluation. This enables direct testing of whether novel compute architectures meaningfully accelerate high-risk capabilities relative to existing systems. Similarly, firms that control large, proprietary datasets intended for generative AI training would be required to make a representative subset available for secure benchmarking, allowing evaluators to assess whether data access alone materially shifts the risk frontier.

The framework would then incentivize academic researchers and trusted third parties to develop state-of-the-art algorithms using these shared resources. Resulting systems would be continuously evaluated against a standing suite of high-risk task benchmarks. This live evaluation process serves two functions. First, it provides an empirical measure of the pace of model development, allowing regulators to maintain a calibrated understanding of the adaptation buffer. Second, it generates quantitative evidence to justify regulatory intervention. Policy can respond as soon as benchmarks show that the Pareto frontier of dangerous capabilities has advanced—regardless of whether that advance is driven by compute, data, or algorithms.

We propose a hybrid institutional architecture that leverages existing U.S. government authorities to realize our live benchmarking framework. The National AI Research Resource (NAIRR) should serve as the infrastructure backbone, providing a secure, air-gapped computational enclave (NAIRR Secure) where proprietary models can be hosted for evaluation without risking IP leakage. However, the governance and testing mandate must reside with the Center for AI Standards and Innovation (CAISI) at NIST. As the agency responsible for standards and measurement, CAISI possesses the requisite technical authority to design validity-tested benchmarks for CBRN and cyber capabilities. Under this division of labor, NAIRR provides the public-interest audit infrastructure, while NIST provides the testing harness.

Positioning NAIRR Secure as the locus of live evaluation offers several advantages. It centralizes sensitive testing within a trusted, publicly accountable institution and does not place the sole burden on private firms with conflicting incentives. It ensures that the United States’ understanding of the AI frontier is not exclusively shaped by corporate disclosures or adversary behavior. It provides a consistent pipeline of up-to-date hardware for researchers building on NAIRR. Lastly, it creates a shared empirical baseline from which export controls, licensing decisions, and release thresholds can be justified and defended.

If live benchmarking reveals that a dangerous application (e.g., automated vulnerability discovery) can be achieved on a cluster of mid-tier GPUs using optimized algorithms, the CAISI/NAIRR architecture must trigger an immediate update to Commerce Department thresholds. In this model, benchmarks serve as upstream intelligence for downstream enforcement: they determine the technical specifications of the thresholds based on the reality of specific threats, ensuring that export controls restrict the hardware actually required for weaponization, not just the hardware required for commercial prestige.

We write as researchers based in the United States, working at the intersection of AI research, AI policy, and national security. This vantage point shapes our emphasis on U.S. regulatory institutions and great-power competition, and it risks reproducing a state-centric view of security that can obscure whose safety is prioritized. We therefore treat national security claims as contested political arguments rather than neutral descriptions of harm, and we foreground which communities face near-term exposure to AI-enabled violence and surveillance, and which communities benefit from compute-centric controls. Our framework is intended to support accountability and harm reduction, not to legitimize indefinite frontier advantage as an end in itself.

The authors used ChatGPT 5.2 for formatting and grammar checks, and to ensure that the submission met the ACM formatting guidelines. All outputs were reviewed by the authors before making edits to the manuscript.