A Microsoft team led by chief scientist Eric Horvitz reports it has uncovered a previously unknown weakness in the DNA biosecurity screening systems used by gene synthesis vendors, showing how artificial intelligence can be used to generate toxic proteins that slip past current safeguards. Described in Science, the work arose from a 2023 red-team effort to probe the dual-use potential of generative protein design, a class of tools already driving drug discovery at startups but theoretically capable of producing harmful molecules as well as beneficial ones.
The researchers targeted the standard safeguard in the supply chain: software that checks incoming DNA orders against databases of known toxins and pathogens. Using several generative protein models, including Microsoft’s EvoDiff, the team digitally redesigned known toxins to alter their sequences in ways predicted to preserve dangerous function while avoiding detection by the screening algorithms. Microsoft emphasizes that the exercise was purely computational and that no toxic proteins were synthesized. Prior to publication, the company notified the US government and relevant software makers, who issued patches. Even so, the authors say certain artificial intelligence designed molecules can still evade detection. “We are in something of an arms race,” said Adam Clore, director of technology R&D at Integrated DNA Technologies and a coauthor, noting the fixes are not one and done. To reduce misuse risk, the team withheld parts of its code and did not disclose the specific toxins involved, though it notes that some hazardous proteins, such as ricin and infectious prions, are widely known.
The findings reignite debate over where to place the strongest biosecurity controls. Dean Ball of the Foundation for American Innovation called for enhanced nucleic acid synthesis screening with enforceable verification, pointing out that the US already treats DNA order screening as a key security line. An executive order last May from President Trump sought a systemwide revamp, though new recommendations have not yet been released. Others are skeptical that synthesis screening can serve as a durable chokepoint. Michael Cohen, an artificial intelligence safety researcher at the University of California, Berkeley, argued the challenge was too easy and that patched tools still fail frequently, urging security to be embedded within artificial intelligence systems or their information outputs. Clore countered that monitoring gene synthesis remains practical because a small number of US vendors work closely with the government, while artificial intelligence development is widely accessible. Taken together, the episode underscores both the progress and the limits of current defenses and points to the need for sustained, iterative testing.
