Traditional safety metrics for AI assistants in dual-use biology—those percentages of refusal rates and successful "jailbreaks"—have officially ceased to reflect real-world risks. Research by Dipesh Tharu Mahato from New York University proves that evaluating a base model in isolation is a pointless exercise. What matters is not how neural network weights react to forbidden keywords, but how a user interacts with the entire deployment stack, including system prompts and external guardrails. A system that blocks every query is useless for science; a system that yields to manipulative rephrasing is lethally dangerous.
Shifting the Focus to Access Conditions
Mahato shifts the focus from "naked" models to specific access conditions. The central question now is whether a protective layer preserves the tool's utility for legal research while meaningfully reducing the capacity for harmful actions. To address this, Mahato introduced the "safeguard-conditioned uplift" protocol, which measures the utility-risk frontier across 108 surrogate tasks. A blind audit involving experts revealed that external filters reduce the risk of destructive actions by only a negligible margin (–0.063) compared to standard helpful prompts.
Protection effectiveness must be defined by the movement of the "operating point" between utility and risk, rather than a primitive tally of blocked keywords.
Comparing Claude and Gemini
The study found there is no one-size-fits-all solution. Protective prompting works best for Claude, while external control systems are more effective for Gemini—though at the cost of a sharp decline in the quality of answers to legitimate queries. This presents a classic dilemma: you either build an impregnable but useless fortress, or you leave the gate open for anyone who knows how to ask politely.
Executive Takeaways
For CTOs and senior management in biotech, this represents a paradigm shift:
Do not rely on standard safety benchmarks: refusal rates are an extremely weak indicator of actual security. Your primary metric should be the delta between legal research productivity and the accessibility of step-by-step instructions for pathogen creation. Evaluate the entire AI deployment stack as a single unit, as the interaction between the model and its control layers—rather than developer marketing promises—determines your true security posture.