Dual-Use Research Disclosure: When Publishing AI Capabilities Creates Risk

Publishing AI research or releasing models creates benefits and risks simultaneously. The norms for when to disclose, delay, or withhold are evolving — deployers need a framework.

10 min · Reviewed 2026

What dual-use means in AI

Dual-use research produces knowledge or tools that have both beneficial and harmful applications. In AI, this applies to capability research (models that can generate convincing synthetic media, summarize technical literature at expert level, or assist with complex planning) as well as to security research (attack techniques, jailbreaks, adversarial examples). Publishing either can simultaneously advance the field and give bad actors an edge.

The disclosure spectrum

Full open release: publish everything — code, weights, paper, data. Maximizes scientific progress and peer verification. Appropriate when the capability is already widely available and the marginal uplift from publication is low.
Staged release: release the paper and high-level findings; hold back model weights or fine-tuning details. Allows scientific scrutiny without immediate democratization of the capability.
Coordinated disclosure: notify affected parties (other labs, governments, security vendors) before public release, giving them time to prepare defenses.
Redacted publication: publish the paper with specific harmful details removed. Common for vulnerability research.
No release: when the harm potential is sufficiently extreme and irreversible, withhold entirely. Rare but not unprecedented — some dual-use biology research has been suppressed.

Deployer obligations beyond research labs

Dual-use considerations don't only apply to academic publications. Deployers must ask: if a user discovers a way to use our product to cause harm, what are our obligations? Publishing use case documentation? Posting mitigation guides? Notifying the model provider? Most deployers have no formal process for this. Building one before you need it is the move.

Red lines: capabilities that should not be released

The AI safety community broadly agrees on certain red lines: AI systems that provide meaningful uplift for weapons of mass destruction, that meaningfully undermine oversight of powerful AI systems, or that enable mass-scale manipulation with no defensive dual use. These are not just research norms — they are increasingly being encoded into usage policies and, in some jurisdictions, law.

The big idea: disclosure decisions require an explicit benefit-harm calculus, not a default of publish-everything or share-nothing. Build the calculus before the capability ships, not after.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ethics-safety-dual-use-disclosure-adults

What characteristic defines AI research as dual-use?
1. Research that produces knowledge or tools with both beneficial and harmful applications
2. Research conducted by both academic institutions and private companies
3. Research that requires approval from two different ethics boards
4. Research that involves two or more machine learning techniques
According to the framework in this material, what is the key empirical question to ask when deciding whether to publish capability research?
1. Is the research funded by government agencies?
2. Does the model have more than 10 billion parameters?
3. Does releasing this materially help people who couldn't otherwise cause harm?
4. Does the research use data from human subjects?
Under what condition is full open release of AI research considered most appropriate?
1. When the research has never been peer reviewed
2. When the funding source requires public release
3. When the capability is already widely available and the marginal uplift from publication is low
4. When the model demonstrates emergent capabilities
What does staged release involve as described in this material?
1. Providing access to only the model's API, not its architecture
2. Releasing the paper and high-level findings while holding back model weights or fine-tuning details
3. Publishing incrementally over several months with continuous updates
4. Making the model available in limited geographic regions first
What is the purpose of coordinated disclosure in the disclosure spectrum?
1. To share findings exclusively with government agencies
2. To delay publication until a competitor releases similar work
3. To publish research only after removing all technical details
4. To notify affected parties such as other labs or security vendors before public release, giving them time to prepare defenses
A researcher discovers a vulnerability that could allow AI systems to be manipulated into generating harmful content. What approach represents redacted publication?
1. Publishing the full paper but requiring a non-disclosure agreement for readers
2. Publishing the paper with specific technical details about exploitation removed
3. Publishing in a closed-access journal with limited distribution
4. Publishing only the abstract and keeping the full paper private
When might the 'no release' option be appropriate for dual-use AI research?
1. When the funding agency requests confidentiality
2. When the research fails to produce significant results
3. When the researcher plans to commercialize the findings
4. When the harm potential is sufficiently extreme and irreversible
What does the material identify as a key obligation for deployers beyond research labs?
1. Ensuring all users sign liability waivers
2. Limiting deployment to enterprise customers only
3. Hiring additional security personnel to monitor model outputs
4. Developing a process for handling discoveries of harmful use cases by users
Which of the following is identified as a red line that should not be released?
1. AI systems that summarize news articles
2. AI systems that can write Python code
3. AI systems that provide meaningful uplift for weapons of mass destruction
4. AI systems that generate artistic images
The material notes that restricting use in terms of service is insufficient because:
1. Users always follow terms of service even when they want to cause harm
2. A determined bad actor will not read terms of service, so access controls and capability monitoring are needed
3. Terms of service are legally binding and enforceable in all jurisdictions
4. Terms of service prevent all misuse of AI systems
What is the overarching framework for disclosure decisions described in this material?
1. A simple checklist that can be completed in under an hour
2. A requirement to consult with all major AI labs before release
3. An explicit benefit-harm calculus that should be built before a capability ships
4. A default position of publishing everything unless legally prohibited
If an AI model can already be purchased from three different vendors, how does this affect the disclosure calculus?
1. The marginal uplift from publication is low, making full release more acceptable
2. The researchers should halt all work on similar capabilities
3. The research must be classified as a military secret
4. Publication should be delayed until the model is unique
Which example best illustrates a capability that would cross a red line according to this material?
1. An AI system that meaningfully undermines oversight of powerful AI systems
2. An AI system that corrects grammar more accurately than existing tools
3. An AI system that translates between common languages
4. An AI system that generates personalized product recommendations
Why might publishing use case documentation be an obligation for AI deployers?
1. If users discover ways to use the product to cause harm, documentation helps others understand risks and develop mitigations
2. Documentation prevents all potential misuse of the system
3. Documentation is required by copyright law for all software products
4. Users will not adopt AI tools without detailed documentation
What is 'uplift' in the context of dual-use AI research?
1. The improvement in model performance after fine-tuning
2. The elevation of a researcher to a more senior position
3. The additional capability or advantage that publication provides to threat actors who would otherwise lack that capability
4. The increase in a model's parameters during training

← Back to interactive lesson

Tendril · Adults & Professionals · Safety & Governance