THE ASYMMETRY
OF ADAPTATION
OF ADAPTATION
I. Introduction
II. Lowering the Floor for Harm
Kinetic Warfare
Chemical, Biological, Radiological, and Nuclear (CBRN) Warfare
IV. The New Strategic Calculus
V. Concluding Remarks
I. Introduction
The proliferation of advanced artificial intelligence (AI) is rapidly reshaping the global security landscape, and nowhere is this transformation more destabilizing than in its adoption by non-state actors (NSAs). The epicenter of this shift is not just the arrival of new tools, but a fundamental change in the nature of conflict itself. This is heralded by a handful of research labs whose design decisions, safety trade-offs, and release models now serve as a form of de facto international security policy. Their internal debates over a model’s capabilities and its release structure are, in effect, private arms-control negotiations that have immediate, public, and global security consequences.
This new reality is driven by an asymmetry of adaptation. Agile NSAs operate without the bureaucratic friction and ethical and legal constraints that bind states. They can adopt, modify, and deploy new technologies at the speed of innovation. In today’s world, AI acts as an evolutionary accelerant for agile non-state actors while often becoming a bureaucratic obstacle for the states that must defend against them. Capabilities once confined to the arsenals of well-resourced nation-states are becoming increasingly accessible through commercially available AI tools. This democratization is not just a quantitative shift, providing more actors with more tools, but a qualitative leap, empowering a more diverse set of NSAs — from radicalized individuals to sophisticated criminal organizations — to challenge established power dynamics with a level of sophistication previously reserved for nation-states.
The prevailing scholarship often focuses on state-centric competition as a driver for this shift. This, however, mistakes the effect — a state-level AI arms race — for the cause, the underlying proliferation of the technology itself. In this paper, I argue that the primary driver of the new, increasingly asymmetric threat landscape is the AI development ecosystem. The design, training, and release of frontier models — both closed and open-source — are directly lowering the floor for NSAs to conduct catastrophic attacks and, in time, will raise the ceiling of damage they can inflict.
This paper will analyze this transformation in three parts. First, it will examine how the dual-use capabilities embedded in lab-built models — from large language models (LLMs) to biological design tools (BDTs) — are democratizing the capabilities for harm. Second, it will explore the inherent risks, evaluating how the synthesis of AI capabilities creates qualitatively new threats. It will conclude with an assessment of how these transformations force a fundamental re-evaluation of the strategic calculus for the modern state.
II. Lowering the Floor for Harm
The most significant and immediate risk factor for NSA adoption of increasingly powerful AI is its unprecedented accessibility. Open-source models, commercial off-the-shelf drones and GPUs, and generative AI platforms have dramatically lowered the financial and technical barriers to entry to intelligent warfare, terrorism, and societal manipulation. Their ability to create disproportionate effects on states without a large investment in time, expertise, or conventional weaponry is a key motivator for NSAs to adopt them to amplify the effectiveness and speed of their tactics.
Cyber and information warfare
The information domain is a primary arena for early exploitation by NSAs. Large Language Models (LLMs) and other generative AI tools allow NSAs to overcome resource limitations and language barriers, producing vast amounts of propaganda at minimal cost. AI-generated propaganda may be more effective than what they could have written themselves.
A notable example is ISIS’s AI-generated ‘News Harvest’ bulletins, which feature AI-generated anchors made to resemble an Al Jazeera broadcast. This makes the content appear more credible and harder for moderation systems to detect and remove, but also reduces the requisite time, skill, money, and energy required to produce it. This is an early step toward a future where NSAs can generate entire, credible-looking news or social media channels, flooding the information space with propaganda that is difficult to distinguish from legitimate journalism. It also reduces the need for charismatic human ideologues to be the ‘face’ of a movement.
This tactic of creating seemingly legitimate news outlets is a core component of China-linked disinformation campaigns like Spamouflage (also known as Dragonbridge). For instance, in a campaign dubbed ‘Sneer review,’ operatives used ChatGPT both to generate a barrage of critical comments against a Taiwanese video game but also to subsequently write a long-form article claiming it had received backlash. China-linked actors have created fake news websites that publish AI-generated summaries of state media articles in multiple languages to facilitate the spread of CCP propaganda through what is perceived as independent journalism.
The radicalization and recruitment pipelines of extremist groups are, too, enhanced by AI. These systems can analyze individuals’ online behavior and digital footprints to identify vulnerabilities and tailor propaganda that resonates with specific psychological profiles, thereby increasing the likelihood of successful recruitment. The Islamic State Khorasan Province (ISKP) is notable for extensive propaganda efforts, managed by its media wing, the Al-Azaim Foundation, which promotes ‘media jihad’ by producing multilingual content tailored for different audiences. After the Kabul Airport bombing in August 2021, for example, ISKP targeted disillusioned Taliban members by branding the peace agreements with the Taliban as a betrayal of Sunni Muslims, aiming to exploit rifts and position itself as the sole purveyor of authentic jihad.
AI also lowers the technical barrier for entry into cybercrime, enabling smaller, less advanced groups or individuals with malicious intentions to conduct operations that previously required significant manpower, expertise, or finances. Anthropic reported a case where a novice actor utilized a Claude model to rapidly develop malware with sophisticated features like facial recognition, dark web scanning, and a graphical user interface for generating fully undetectable payloads. They thereby enhanced their technical abilities.
The emergence of specialized illicit AI tools on dark web forums such as WormGPT
Kinetic Warfare
Unmanned Aerial Vehicles (UAVs)Between 2016 and 2022, researchers have reported 440 cases of NSAs like ISIS, Ansar Allah/the Houthis, and Hay’at Tahrir al-Sham (HTS) using weaponized UAVs, which have struck everything from armored vehicles to civilian homes to oil facilities.
NSAs are adept at converting commercially available technology into lethal weapons, and as AI makes drones smarter and more autonomous — especially in the West — we must face the risk of NSAs developing and deploying increasingly sophisticated autonomous weapons systems. Advancements in autonomous drones provide tangible operational advantages, including improved target recognition and navigation in complex environments, and, critically, a heightened resilience to electronic warfare that allows a drone to complete its mission even when jammed or to avoid detection altogether. This furthers an already potent asymmetric advantage, borne primarily of the proliferation of cheap commercial drones. Such asymmetry is already palpable now that advanced systems are commercially available and, in cases, fall into the hands of non-state actors.
Commercial-off-the-shelf (COTS) drones provide a critical lens. Take Dà-Jiang Innovations (DJI) as an example. Their drones are globally available, relatively inexpensive, user-friendly, highly adaptable, and increasingly capable for various munitions and purposes. Performance metrics, especially transmission distance, have seen dramatic improvements in the last decade, with some 2023 models boasting ranges of over 12 miles, a significant increase from the sub-one-mile ranges of the last decade. A key impact of this is that operators can remain at a safer, more concealed distance from their targets.
ISIS, among other terrorist groups like Hamas,
Turkey’s STM Defence sells the Kargu drone, a system possessing a 1.1kg warhead, autonomous tracking and hit capabilities, a facial recognition system, and swarm capabilities. These were delivered to Libyan militias, which have used the systems to attack logistics convoys and armed forces affiliated with Khalia Haftar.
NSAs acquire drones, or their components, in a variety of ways. The Houthi Rased, or “surveyor” drone,
The ability to perform complex AI computations directly on the drone (edge computing) is a critical enabler for true autonomy, especially in environments where communication links may be jammed or unavailable. Edge devices are able to process captured data with a system of sensors, an edge processor, an inference engine, and communication and navigation modules, without having to rely on cloud infrastructure.
There are several barriers to the proliferation of AI within NSA kinetic systems. Systems integration, for one, is key. While open-source computer vision software is readily available, reliably integrating and fusing data from a suite of sensors to create a coherent and accurate understanding of a complex and contested environment is a significant engineering challenge. Onboard autonomy also requires powerful processing hardware that is difficult for NSAs to acquire; further, there is a fundamental trade-off between processing power, energy consumption, and the drone’s size, weight, and power (SWaP) constraints — more powerful processors consume more energy, which requires larger batteries, increasing weight and reducing flight time and maneuverability. And if a mainstream model cannot be jailbroken, or an open-source model cannot be tweaked, then a bespoke one will require vast amounts of relevant training data (for instance, thousands of images of armored vehicles from multiple angles), which is also difficult to collect, and requires significant compute, which is difficult to acquire. This would be a more realistic scenario for a better-resourced NSA, such as Al-Qaeda, rather than a lower-resourced NSA or hacktivist group. In the near-term, these capabilities may evolve to AI-augmented targeting, which would enable NSAs to use AI for terminal guidance. More advanced applications, such as swarms of autonomous drones or targeted assassinations, become much more plausible upon successful mastery of this step.
Chemical, biological, radiological, and nuclear (CBRN) warfare
Developments in AI, from LLMs to biological design tools (BDTs), pose immense risks for biosecurity.
Large Language Models
Actors can use LLMs like ChatGPT, Claude, and Gemini to generate information and instructions about CBRN creation that would require significantly more time, energy, and patience to uncover manually.
OpenAI’s GPT-5 System Card, published August 13, 2025, noted that the model meets the lab’s threshold for “high” capability in the biological and chemical domain, being “on the cusp” of reaching the ability to “meaningfully help a novice to create severe biological harm.” The lab subsequently activated its associated high-capability preparedness safeguards.
Anthropic’s Claude 3.7 Sonnet System Card, published February 2025 (just eight months after 3.5 Sonnet), also noted that the model, compared to previous models, provided better advice in key steps of the weaponization pathway and made solving complex problems in CBRN weapon creation faster.
Google’s Frontier Safety Framework and 2.5 Deep Think model card show that their models are at risk of reaching the critical capability level for CBRN Uplift Level 1 in the near future, meaning the model could “significantly assist a low-resourced actor with dual-use scientific protocols, resulting in a substantial increase in ability to cause a mass casualty event.”
Chinese lab DeepSeek poses potentially the highest risks of the most readily available LLMs, as their model, R1, is not only more prone to jailbreaking than ChatGPT, Claude, and Gemini,
Biological design tools
It is unlikely that an actor will be able to use LLMs to build a CBRN weapon end-to-end. A sophisticated actor would likely need to combine the knowledge gleaned from LLMs with the synthesis capabilities offered by biological design tools (BDTs), which are rapidly progressing in their capabilities, too.
In February 2025, the world’s largest biological AI foundation model, Evo 2, was released by researchers from the Arc Institute and Nvidia. Trained on over 128,000 human, animal, plant, bacterial, and viral genomes, it is an open-source platform that allows users to generate genomic sequences.
III. Raising the Ceiling of Harm
The enhancement of NSA capabilities within these distinct domains is, on its own, a destabilizing force that is already challenging global security. The proliferation of AI-powered tools represents a terrifying new baseline for violence, one that states are already struggling to counter. This, however, is merely the floor. To focus only on these enhancements is to mistake a linear improvement for an exponential one. In time, AI will evolve from making NSAs more efficient to granting them access to new categories of harm. A dangerous and unpredictable asymmetry will define this next phase of threat. Unconstrained by law or ethics, NSAs can innovate and deploy destructive tactics with an agility that state actors cannot match. It is in this fundamental mismatch in speed and adaptability that AI will raise the ceiling of harm.
These capabilities — smarter drones, more potent malware, more persuasive propaganda, more accessible bioweapons — are the individual instruments of violence. One way the ceiling may rise may be with the emergence of an AI orchestrator capable of conducting these instruments in a multi-domain symphony of chaos. The convergence of these threats would be exponentially more challenging to predict, attribute, and counter than the sum of their AI-augmented components, yet another motivator for AI-enhanced, or AI-orchestrated, attacks. The technical foundations for such an orchestrator are already being laid; agentic AI systems are capable of executing increasingly complex multi-step tasks with increasing degrees of autonomy.
The ceiling for AI-driven cyberthreats is also rising rapidly. AI is used to generate polymorphic malware, which autonomously alters its own code with each new infection, ensuring each instance of the malware has a unique signature and therefore effectively renders traditional signature-based antivirus and detection systems obsolete.
The ceiling for influence operations will also be raised from generating propaganda to conducting dynamic, automated cognitive warfare. Future AI systems will be able to not only create content but also conduct population-level sentiment analysis and react to a population’s psychological state in real-time. We may imagine a web of interconnected agents — each specialized for a specific purpose — conducting adaptive campaigns to monitor online sentiment, A/B test narratives and messaging, and inciting undesired behavior. Or, we may imagine an AI agent tasked with acting as a human recruiter to identify vulnerable individuals online and engage them in long-term, personalized conversations, effectively guiding them down a pipeline of radicalization. Moreover, AI systems will, in time, move from helping exploit known software vulnerabilities to discover and weaponize novel exploits. An NSA may task an AI agent not with a specific target, but with a goal — e.g., “create maximum chaos at a major international hub airport.” The AI scans public code repositories for vulnerabilities in popular open-source libraries used in enterprise-level industrial and logistic systems, finding a remote code execution vulnerability in a widely-used open-source message queue library, a piece of middleware that many disparate, complex systems use to communicate. After monitoring flight data to identify a moment of peak passenger traffic, the AI sends a single, carefully crafted malicious data packet to the airport’s network. Because the baggage, gate, and display systems all rely on this compromised open-source library, the single packet corrupts the message queue for all of them simultaneously, and passenger traffic is halted until the problem can be solved. While this previously would have taken considerable expertise and some careful planning, our future portends this being as easy as writing the prompt.
An even more alarming frontier for NSA exploitation is biosecurity, where AI threatens to neutralize our most critical defenses. A key chokepoint designed to prevent a terrorist from acquiring a pathogen is the screening of custom DNA orders by commercial synthesis firms. This strategy, however, is largely predicated on checking whether an order matches a finite status list of roughly 150 known, regulated agents and toxins.
Pathways to open-source weaponization
The popularization of powerful open-source AI models is a key accelerant in raising this ceiling, too, creating an increasingly difficult-to-govern threat vector. Unlike proprietary models that retain some level of developer control through API access, open-source models with publicly released weights grant adversaries complete autonomy to inspect, modify, and operate the system on untraceable, offline hardware, effectively bypassing most proposed regulatory chokepoints.
This creates a dual-use paradox. On one hand, an open and vibrant open-source ecosystem fosters innovation, enhances transparency, and prevents the monopolistic control of a critical technology by a few large corporations or the government. This competition and public scrutiny can lead to more secure and reliable AI systems, a clear benefit for national security. It also benefits the broader innovation economy of the United States and the places where its technologies land. On the other hand, this very openness provides an arsenal for malicious actors who will not adhere to international law or ethical AI norms in their use.
Perhaps the most direct and accessible pathway to weaponization of open-source models is by malicious fine-tuning. An NSA can take a general-purpose, open-source foundation model, such as Meta’s Llama or China’s DeepSeek, and further train it on a small, specialized dataset to optimize it for a specific harmful task. This process is vastly cheaper and faster than training a model from scratch, and bypasses many of the safeguards instituted on data center customers. We may expect an NSA to fine-tune an LLM on a curated dataset of extremist texts to create a propaganda and recruitment bot that speaks with the authentic voice of the ideology. Alternatively, the NSA could fine-tune a model on a repository of malware code to create an assistant for developing cyber or CBRN weapons. Scientists have already demonstrated this vulnerability by fine-tuning the open-source biology model Evo 1 with data on viruses that are infectious to humans.
Another technical pathway is jailbreaking, which involves crafting adversarial prompts designed to bypass a model’s safety features and alignment training. While this technique can be used against closed models via their APIs, it is particularly potent against open-source models, where the underlying architecture and training data can be studied to discover weaknesses. A robust online ecosystem is dedicated to developing and sharing novel jailbreaks, often disseminated publicly on platforms like GitHub. Models with minimal or poorly implemented guardrails, such as DeepSeek, are highly susceptible to these techniques.
Model backdooring provides a more insidious and sophisticated supply chain attack, allowing a malicious actor to embed a hidden trigger and harmful payload into an open-source model before it is publicly distributed. The compromised model would behave normally on all standard evaluations and for most users. However, when it receives an input containing a trigger, it executes a malicious function that could involve leaking data, executing code, or producing a biased and harmful output. These techniques are being readily discovered by researchers in the private market — American security software company Hidden Layer discovered an exploit they dubbed ShadowLogic, which, unlike typical code exploits, can manipulate a model’s computational graph to insert a backdoor that survives fine-tuning, able to execute attacker-defined triggers.
IV. The New Strategic Calculus
This impending reality forces a new strategic understanding, altered across at least four fundamental dimensions critical for the modern state.
The state no longer holds a monopoly on asymmetric violence
For centuries, the ability to inflict strategic harm — to directly challenge a state’s political stability, economic integrity, or social cohesion — was the exclusive domain of other states. This was a function of scale and resources; conducting complex intelligence operations, deploying sophisticated weapons systems, precise targeting, or running mass-influence campaigns required an immense investment in infrastructure, personnel, and capital that only a state could expend.
AI fundamentally challenges this long-held monopoly. A non-state actor can now achieve strategic effects through a variety of low-cost, high-impact means. A coordinated drone attack on critical economic infrastructure, such as the 2019 Houthi strike on Saudi Aramco facilities, which cost little to execute but temporarily halved the nation’s oil output, can have strategic economic consequences. An AI-orchestrated information campaign can amplify societal divisions, incite political violence, and erode trust in democratic institutions, directly challenging a state’s political stability without firing a single shot. In kinetic terms, the proliferation of cheap, commercially available, and increasingly autonomous drones threatens to overwhelm and neutralize sophisticated, multi-billion-dollar air defense systems — a key pillar of modern state military power — particularly when the integration of AI is made feasible.
The proliferation of AI also creates a high-speed arms race that structurally favors the attacker. The use of AI in both offense and defense is not a symmetrical competition. AI-driven malware can adapt to defenses in real-time, while AI-powered vulnerability discovery dramatically shortens exploit development timelines. Defensive AI, while powerful, is inherently reactive and must protect an entire, ever-expanding attack surface. Offensive AI, in contrast, has the advantage of asymmetry: it only needs to find a single, undiscovered flaw. This creates a persistent attacker’s advantage, where agile NSAs can develop and leverage novel AI attack vectors before large, bureaucratic state defenses can fully understand and adapt to them. NSAs also hold power in their disregard for international law and ethics — while Western nations are increasingly constrained by ethical and legal guidelines surrounding AI use, NSAs see advantage in our lack of ability to counter asymmetric, AI-driven threats.
The implication is that states must re-evaluate who constitutes a “peer-level” threat. The strategic landscape is no longer a small club of nation-states, but a crowded, chaotic arena of state and non-state actors with overlapping capabilities.
From predictable threat to probabilistic risk
The traditional national security model has long been based on identifying a finite number of potential adversaries with the capabilities to cause harm — other states, a few major terrorist organizations, hacker groups — and developing specific countermeasures tailored to their known capabilities and intentions. This rested on the assumption that strategic threats were posed by identifiable, trackable, and relatively stable organizations. AI renders this model, too, obsolete.
When the specialized skill and tacit knowledge required to conduct a sophisticated cyberattack or develop a biological weapon are radically lowered, the “who” of the threat expands exponentially to nearly anyone with a motive. When the hardware for a precise kinetic attack can be ordered online or easily smuggled across international borders, the barrier to entry for violence is perilously low. Security postures can no longer be calibrated based on the assumed capability of a given NSA, as a group assessed as a low-level threat could suddenly deploy a high-impact, sophisticated attack. The calculus must therefore shift from a predictable, deterministic threat and response model to a probabilistic model of risk and resilience. It becomes impossible to predict and prevent every potential attack from every potential actor. It is prudent, instead, to ensure that core societal functions and critical infrastructure can withstand and rapidly recover from a successful attack, regardless of its origin or nature.
The imperative of holistic defense
A defensive posture built on institutional and domain-specific silos, where a cyber command defends networks, an air force defends airspace, and intelligence agencies counter disinformation, with insufficient interaction, is catastrophically vulnerable to an adversary who treats these domains as a single, integrated battlespace. The convergence of threats enabled by AI makes a siloed defense posture a critical liability.
An adversary no longer has to choose between a cyber attack, a disinformation campaign, or a drone strike; AI makes it easier and more cost-effective than ever to conduct all three in a synchronized fashion to achieve a systemic, cascading failure. A system can be designed in which AI itself orchestrates an attack conducted by a web of malicious agents across cyber, information, and kinetics. A disinformation campaign can be used to amplify the psychological terror of a drone strike or a CBRN event. A cyberattack on emergency services can create chaos that appears to validate a propaganda narrative of state failure. A kinetic attack can serve as a decoy for a massive cyber intrusion. A massive propaganda campaign can be produced in minutes to sway elections.
The only viable defense against such a converged threat is an equally integrated and holistic security posture. A state that attempts to defend its cyberspace, airspace, and information space as separate, disconnected battlefields will lose to an adversary that treats them as one. National security policy must prioritize the resilience of the entire societal system over the hardening of any single component.
V. Concluding Remarks
Artificial intelligence is fundamentally reconfiguring the landscape of conflict by breaking the state’s long-held monopoly on sophisticated violence and democratizing the tools of strategic harm. The epicenter of this transformation, I argue, is not the technology itself but the handful of research labs whose design decisions now serve as de facto international security policy. This is manifested in several ways. The lowering of the floor for catastrophic harm — from allowing fast and fluent creation of propaganda to the creation of malware — is the direct consequence of the dual-use tools these labs have chosen to build and release. The raising of the ceiling for the effects of this harm — from the safeguard-obviating potential of open-source BDTs to the weaponization of AI in commercial drones — is the direct consequence of their proliferation models. And the asymmetry of adaptation, which sees agile NSAs outpace state defenses, is not a natural phenomenon but an accelerated one, fueled by the technological and scientific progress these labs have driven.
One can simply look to history to find that mankind has oft wrestled with such dual-use dilemmas. The 20th century was defined by the struggle to control chemical precursors for explosives, nuclear materials, and advanced cryptography. The challenges presented by AI, however, are fundamentally different. The Crypto Wars of the 1990s, for instance, centered on a defensive technology, essentially a shield. States sought to regulate encryption because it created opacity. The dilemma of AI is more profound. The state is not merely attempting to regulate opacity; it is confronting the proliferation of agency. A chemical precursor, although dual-use, cannot design a new, more potent explosive. A cryptographic key cannot be an agentic partner in a data extortion campaign. The tools being released by AI labs are not simply knowledge in the traditional sense; in attempting to be a replicable form of ‘cognition,’ they introduce, potentially, a co-conspirator.
This qualitative difference demands a fundamental recalculation of our security paradigm. The traditional strategic framework — based on the principles of state-controlled power, identifiable adversaries, and domain-specific defenses — is no longer a viable model for confronting the challenges posed by the accelerating diffusion of power. When an internal debate at a private lab over a model’s release has such profound and immediate consequences for global security, and when the actor behind a catastrophic attack can become practically any adversary, the very concept of security has transformed. The challenge we face is not simply to defend against the weapons of tomorrow, but to build a security paradigm capable of enduring in an age where the power to cause catastrophic harm has been irrevocably democratized, and in which the sovereignty over their creation, definition, and proliferation now rests, in large part, within the walls of a few corporations whose policy decisions have become the most important, and least accountable, in the world.