6.4.3 Detection and Authorization of Dual-Use Capability at Inference Time
Original Problem in the Paper
Motivation: if assessments flag dual-use domain competence, providers may need to avoid public default exposure while preserving legitimate uses (e.g., cybersecurity professionals patching vulnerabilities). Open problems: detect all requests for dual-use capabilities, distinguish legitimate from malicious intent, and require authentication/authorization (e.g., certified experts, red-teamers, researchers) before access; proof-of-concept authorization schemes were hypothetical.
July 2026 Update & Trajectory
Dual-use gating has moved from hypothetical to narrow deployment: Anthropic describes access controls plus real-time/asynchronous classifiers for catastrophic-risk safeguards, and OpenAI’s 2026 Cybersecurity Grant update says it introduced Trusted Access for Cyber with API credits for defensive deployment. However, reliable intent classification remains unverified; I could verify the OpenAI update only via the Grant Program page because the Trusted Access page itself returned 403. Authorization is operational for specific programs/domains, not a general inference-time standard.
Deployed / Operationalized
- Tiered access/vetting for safety testing and partner use cases; enhanced due diligence based on trustworthiness and beneficial use-case.
- Real-time prompt/completion classifiers plus asynchronous monitoring for CBRN/cyber and other severe-harm domains.
- Cyber-defender trusted-access programs and API-credit grants for defensive cybersecurity use; offensive projects excluded.
New Tractable Vectors
- Route detected dual-use requests into authorization workflows rather than blanket refusal.
- Use domain-specific classifier cascades (cyber, bio, chem) with user identity, organization vetting, and monitoring.
- Offer researcher/red-team modes with compensating controls, logging, and revocable access.
Key Open Questions
- Robustly distinguishing malicious intent from legitimate dual-use work under jailbreaks, roleplay, ambiguity, and staged multi-turn requests.
- Privacy-preserving credential/authorization schemes for sensitive occupations or researchers across jurisdictions.
- Preventing authorized users from laundering capabilities to unauthorized users or automating harmful workflows.
Evidence & Primary Sources
- Anthropic RSP ASL-3 deployment safeguards include access controls for deployment context/user groups, enhanced due diligence, real-time prompt/completion classifiers, asynchronous monitoring, and post-hoc jailbreak detection. (2026-05-26): https://www.anthropic.com/responsible-scaling-policy
- OpenAI Cybersecurity Grant Program page states Feb. 5, 2026 update introduced Trusted Access for Cyber and $10M in API credits, focused on large-scale defensive cyber deployment; offensive-security projects are not considered. (2026-02-05): https://openai.com/index/openai-cybersecurity-grant-program/
- NIST GenAI Profile treats CBRN and information-security capabilities as GAI risks requiring ongoing assessment and monitoring of access to tools/data. (2024-07-25): https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
- OWASP GenAI Security Project documents LLM application risks such as prompt injection, sensitive information disclosure, and model theft that must be handled in deployment contexts. (2025): https://owasp.org/www-project-top-10-for-large-language-model-applications/