Know Your Scientist: KYC as Biosecurity Infrastructure

Biological AI tools for protein design and structure prediction are advancing rapidly, creating dual-use risks that existing safeguards cannot adequately address. Current model-level restrictions, including keyword filtering, output screening, and content-based access denials, are fundamentally ill-suited to biology, where reliable function prediction remains beyond reach and novel threats evade detection by design. We propose a three-tier Know Your Customer (KYC) framework, inspired by anti-money laundering (AML) practices in the financial sector, that shifts governance from content inspection to user verification and monitoring. Tier I leverages research institutions as trust anchors to vouch for affiliated researchers and assume responsibility for vetting. Tier II applies output screening through sequence homology searches and functional annotation. Tier III monitors behavioral patterns to detect anomalies inconsistent with declared research purposes. This layered approach preserves access for legitimate researchers while raising the cost of misuse through institutional accountability and traceability. The framework can be implemented immediately using existing institutional infrastructure, requiring no new legislation or regulatory mandates.

💡 Research Summary

The paper addresses the growing biosecurity threat posed by rapidly advancing AI tools for protein design and structure prediction. Existing safeguards—keyword filtering, output blocking, and content‑based access denial—are shown to be fundamentally inadequate for biology because reliable functional prediction remains out of reach and novel malicious designs can evade detection by design. To overcome these limitations, the authors propose a three‑tier “Know Your Scientist” (KYC) framework that adapts the identity‑verification and transaction‑monitoring practices of anti‑money‑laundering (AML) systems in the financial sector to the domain of biological AI.

Tier I – Institutional Gatekeeping: Access requests are routed through the researcher’s home institution rather than directly to the model provider. The institution verifies the researcher’s identity, affiliation, and declared purpose, and vouches for the user. Hosting entities maintain a whitelist of trusted institutions and deny access to individuals or organizations appearing on government sanction lists (e.g., OFAC SDN, State Department FTO, Commerce Entity List). Institutions may also perform enhanced due diligence for higher‑risk users, creating a clear chain of accountability that shifts the vetting burden from model providers to entities with better oversight capability.

Tier II – Output Screening: Every generated sequence is examined in real time using existing bioinformatics tools such as BLAST for homology searches, ontology‑based functional annotation, and, as the field matures, protein function predictors and toxicity assessors. When a sequence matches known pathogenic motifs or otherwise raises a risk flag, the system logs the event, temporarily freezes the output, and notifies a human reviewer. The reviewer checks whether the flagged output aligns with the user’s declared research purpose (e.g., vaccine development versus unexplained pathogen design). The framework also anticipates integration of watermarking and output‑enhancement technologies to improve traceability when sequences are synthesized.

Tier III – Behavioral Monitoring: Long‑term usage patterns are analyzed to detect deviations from the declared research agenda. Signals include repeated interactions with flagged outputs, cumulative risk scores, anomalous access times, or unexpected workflow sequences. A threshold‑based accumulation of such signals triggers a review, but enforcement (suspension or revocation of access) remains a human decision to avoid false positives. This tier mirrors AML transaction monitoring, focusing on patterns rather than isolated events.

The three tiers are designed to be independent yet complementary. Institutional verification establishes trust at entry, output screening provides immediate, context‑aware alerts, and behavioral monitoring captures subtle, evolving misuse. By distributing responsibility—institutions vet researchers and intent, while hosting platforms enforce technical controls—the framework avoids over‑centralization and leverages existing institutional infrastructure (identity management, IRB/IBC processes, logging systems).

Risk‑based calibration is built into the model: lower‑risk tools (e.g., small protein language models) may require a lighter institutional trust threshold, whereas high‑risk systems capable of de novo genome design would demand institutions with robust biosafety oversight. The framework also allows sponsoring institutions to endorse non‑affiliated collaborators, extending accountability while preserving flexibility for joint projects.

Implementation is argued to be immediate, requiring no new legislation. Existing university and research‑center authentication mechanisms, combined with standard bioinformatics pipelines, can be repurposed for KYC compliance. The authors acknowledge that success hinges on establishing inter‑institutional trust relationships, standardizing vetting procedures, and ensuring efficient human review workflows to handle flagged events without creating prohibitive friction for legitimate scientists.

In summary, the paper proposes a pragmatic, layered governance model that shifts biosecurity control from fragile content inspection to robust user verification and continuous monitoring, drawing on proven AML practices. This approach aims to preserve open scientific collaboration while raising the cost and difficulty of malicious biological AI use.