Published: 2026-07-12
Categories: AI Governance and Policy
Key Takeaways
The UK AI Security Institute (AISI) published its first Frontier AI Trends Report on December 18, 2025, aggregating two years of government-led evaluations across more than thirty frontier AI systems since November 2023 [1][2]. The report documents a rapid rise in cyber task completion, with models moving from roughly 10 percent success on apprentice-level tasks in early 2024 to 50 percent by 2025, and the first model capable of completing expert-level tasks requiring a decade of human experience appeared during 2025 [3][4]. AISI’s biology and chemistry evaluations show frontier models now regularly exceed PhD-holder baselines on knowledge assessments, and its wet-lab testing found AI assistance made non-experts nearly five times more likely to produce a feasible viral recovery protocol than they would using internet research alone [5][6]. Safeguard testing found a universal jailbreak in every system evaluated, though the expert effort required to discover certain categories of harmful jailbreaks has risen substantially between model generations [3][4]. Self-replication evaluations under AISI’s RepliBench framework recorded success rates on early-stage tasks climbing from under 5 percent to over 60 percent in two years, though models still fail at later replication stages outside controlled test environments [6]. AISI has stated explicitly that the report is not intended to make policy recommendations, positioning it instead as an evidentiary baseline intended to anchor future regulatory and industry decisions in measured capability rather than speculation [2].
Background
AISI began evaluating frontier AI systems in November 2023, initially operating as the AI Safety Institute before the UK government renamed it the AI Security Institute in February 2025, a change widely read as reflecting a sharper focus on national security and criminal misuse risks. As a directorate of the Department for Science, Innovation and Technology, AISI has spent two years running pre-deployment and post-deployment evaluations of the most capable models released by major AI developers, testing for capabilities in cybersecurity, biology and chemistry, autonomous behavior, and susceptibility to jailbreaking [1]. The Frontier AI Trends Report is the first time the Institute has synthesized this body of testing into a single public document rather than releasing findings piecemeal through individual model evaluations or blog posts.
AISI has framed the report’s purpose as substituting empirical measurement for speculation about frontier AI risk [2]. AI Minister Kanishka Narayan described the release as putting “evidence, not speculation, at the heart of how we think about AI,” while Jade Leung, the Prime Minister’s AI Adviser, described the Institute’s role as cutting through speculation with rigorous science to keep pace with rapid capability growth [2]. AISI has been explicit that the report does not itself prescribe regulatory action; it is designed to give policymakers, industry, and the public a shared, data-grounded starting point for that conversation [2]. This framing matters for how the document should be read: it is a baseline-setting exercise, not a proposed rulebook, and its influence on future regulation will depend on how governments and companies choose to act on the trends it documents.
That regulatory backdrop is itself unsettled. The UK government has signaled its intent to introduce a Frontier AI Bill that would place AISI on a statutory footing and grant it powers to compel pre-deployment testing of the most capable models, and the government has reiterated its commitment to bring that legislation forward in 2026, though as of this analysis the bill had not yet been introduced to Parliament [7]. In the interim, AISI’s voluntary testing arrangements with frontier developers remain the primary mechanism by which the UK government gains visibility into model capabilities, which makes the Trends Report’s aggregated findings a rare public window into evaluation work that would otherwise remain confidential between the Institute and individual AI labs.
Security Analysis
The report’s cyber capability findings carry the most direct relevance for enterprise security teams. AISI measured the length of cyber tasks — expressed in terms of how long a human expert would need to complete them — that models can now finish unassisted, and found this capability horizon doubling roughly every eight months, a figure AISI itself describes as an estimated upper bound rather than a fixed rate [1]. Combined with the jump in apprentice-level task success from about 10 percent to 50 percent over a comparable period, this trend suggests that AI-assisted offensive tooling may be becoming more capable at a pace that outstrips typical enterprise security planning cycles, though no source-backed baseline for a “typical” planning cycle is available to confirm that comparison precisely. The appearance in 2025 of a model able to complete tasks that would normally require a decade of specialist experience suggests that some categories of advanced exploitation or vulnerability research, previously gated by scarce human expertise, may become accessible to a much wider population of less-skilled operators within the next several product cycles.
The biology and chemistry findings raise a distinct but related concern: the erosion of expertise as a natural barrier to misuse. AISI’s data show non-experts assisted by frontier models approaching parity with, and in some troubleshooting tasks exceeding, PhD-level human performance [5], and its controlled wet-lab evaluations found AI assistance made viral recovery protocols nearly five times more achievable for a non-specialist than unaided internet research [6]. Plasmid design work that once took weeks reportedly compressed to days with AI assistance [6]. None of this indicates that frontier models are actively being used for bioweapons development, and AISI’s own framing stresses that these are controlled evaluation results rather than observed real-world incidents. The signal for security and biosafety practitioners is that the assumption underlying much dual-use research governance — that specialized technical skill itself functions as a control — is weakening, and organizations that rely on that assumption in their risk models should revisit it.
The safeguards findings are more mixed than they may first appear. AISI found that every frontier system it tested had at least one universal jailbreak, confirming that none of the systems AISI tested provided categorical protection against determined attempts to elicit harmful output [6]. At the same time, the Institute documented a case in which one model required roughly forty times more expert effort to jailbreak for biological-misuse content than its predecessor released six months earlier, indicating that safeguard engineering is improving unevenly across harm categories even as it remains fundamentally penetrable [3]. Security teams should read this as confirmation that defense-in-depth around AI deployments — rather than reliance on model-level safeguards alone — remains necessary, particularly for any deployment involving dual-use scientific or offensive-security capability.
The self-replication findings, drawn from AISI’s RepliBench evaluation suite, describe a capability trend still in its early stages but moving quickly. Success rates on tasks associated with early replication stages — such as acquiring compute resources or funds — rose from under 5 percent to over 60 percent across the two-year testing window, even as models continue to fail at later-stage replication tasks and show no evidence of attempting replication outside controlled, simplified test environments [6]. This gap between early- and late-stage success is a meaningful reassurance in the near term, but the trajectory of the early-stage numbers means that autonomous agent governance — already an active concern documented in CSA’s own survey research — deserves closer attention as a forward-looking risk category rather than a purely theoretical one.
Finally, the report’s finding that open-source models now lag frontier closed systems by only four to eight months has structural implications beyond any single vendor relationship [4]. That four-to-eight-month figure is a general capability-benchmark metric rather than one specific to cyber or biosecurity domains, but if similar lag times hold in those domains, capabilities documented in frontier-model evaluations — including the cyber and biosecurity trends above — may be expected to propagate into widely available open-weight models within less than a year. Security programs that scope AI risk management around a small number of frontier vendors may be underestimating how quickly comparable capability — and comparable risk — becomes accessible through open-source deployment paths that are harder to monitor or gate centrally.
Recommendations
Immediate Actions
Security and risk teams should incorporate AISI’s published capability trend lines directly into existing AI threat models rather than treating the report as background reading. The cyber task-completion curve and the roughly eight-month doubling period for unassisted task length provide a concrete, government-sourced growth rate that can anchor internal projections of how quickly AI-assisted attack tooling may need to be defended against. Organizations operating in biosecurity-adjacent or dual-use research contexts should likewise review any assumption that specialized human expertise functions as a control, given AISI’s wet-lab findings on protocol generation.
Short-Term Mitigations
Enterprises deploying agentic or autonomous AI systems should treat the report’s self-replication and autonomy findings as a prompt to strengthen agent governance now, before early-stage capability gains translate into broader operational risk. This includes applying structured red-teaming methodologies to agent authorization, control hijacking, and resource-acquisition scenarios, and closing the gaps that CSA’s own 2026 survey research identified between organizations’ perceived visibility into their AI agents and their actual ability to discover, monitor, and decommission them. Because AISI found universal jailbreaks across every tested system, organizations should also ensure that safeguard assumptions built into AI-enabled products or internal tooling are backed by independent monitoring and layered controls rather than trust in vendor-side safeguard claims alone.
Strategic Considerations
Over the medium term, organizations with UK operations or UK regulatory exposure should track the status of the proposed Frontier AI Bill, which would grant AISI statutory authority and pre-deployment testing powers over the most capable models. Given the legislative uncertainty around that bill’s timeline, compliance and government-affairs functions should plan for a period in which voluntary testing arrangements between AISI and frontier developers remain the primary oversight mechanism, and should treat future AISI Trends Report editions as a recurring, authoritative signal of where capability — and therefore risk — is heading, independent of whether formal legislation has caught up. Finally, the narrowing gap between open-source and closed frontier models means governance frameworks should be built to scale across the full AI supply chain an organization uses, not just its relationships with the largest frontier labs.
CSA Resource Alignment
AISI’s self-replication and autonomous-behavior findings connect directly to CSA’s Autonomous but Not Controlled survey report, which found that 65 percent of surveyed organizations experienced an AI agent security incident in the past year and that only 21 percent have formal agent decommissioning processes despite widespread confidence in agent visibility. Read alongside AISI’s RepliBench trend line, this CSA data suggests that the governance gaps organizations already report in day-to-day agent management are the same gaps that would matter most if autonomous capability continues to climb along AISI’s observed trajectory.
The report’s emphasis on structured, repeatable evaluation of AI systems for dangerous capabilities and safeguard weaknesses parallels the methodology CSA and OWASP AI Exchange jointly published in the Agentic AI Red Teaming Guide. Organizations seeking to apply AISI’s findings internally can use the Guide’s twelve threat categories, spanning authorization hijacking through supply chain attacks, as a practical testing framework for the same classes of risk AISI evaluates at the frontier-model level.
More broadly, the governance questions AISI’s report raises about capability disclosure, pre-deployment testing, and organizational responsibility for dual-use AI systems map onto the domains covered in CSA’s AI Controls Matrix (AICM) v1.1. Enterprises building internal governance programs in response to accelerating frontier capability should use AICM’s control domains as the structural backbone for policies covering model testing, safeguard verification, and agent lifecycle management, rather than developing bespoke governance from scratch.
References
[1] AI Security Institute. “Frontier AI Trends Report.” AISI, December 2025.
[2] GOV.UK. “Inaugural report pioneered by AI Security Institute gives clearest picture yet of capabilities of most advanced AI.” GOV.UK, December 18, 2025.
[3] AI Security Institute. “5 key findings from our first Frontier AI Trends Report.” AISI Work Blog, December 2025.
[4] techUK. “UK AI Security Institute releases inaugural Frontier AI Trends Report.” techUK, December 2025.
[5] GOV.UK. “AI Security Institute – Frontier AI Trends report factsheet.” GOV.UK, December 2025.
[6] Transformer News. “AI is making dangerous lab work accessible to novices, UK’s AISI finds.” Transformer News, December 2025.
[7] Long Term Resilience Institute. “How the UK AI bill can improve AI security.” Long Term Resilience Institute, 2026.