AI Infrastructure Security - Stage 1 Report

7 Aug

Introduction 

The AI Security project was designed to address a growing need in the field of AI governance: how to forecast progress in AI security in a way that is timely, decision-relevant, and grounded in concrete milestones. 

For the purposes of Stage 1 (pilot phase), the Swift Centre collaborated with the AI Security Forum and through sessions with industry experts chose to focus on forecasting developments in model protection as a tractable and policy-relevant entry point into the broader landscape of AI risk mitigation.

While many efforts in AI risk forecasting focus on outcomes (such as catastrophic risks or emergence of dangerous capabilities) this pilot approached the problem from a complementary angle: focusing on security measures that might reduce the probability or severity of such risks. In other words, we asked: “When will meaningful security measures be adopted, and what would affect their implementation timelines?” 

This perspective aims to equip policymakers, funders, and practitioners with early indicators of institutional maturity and preparedness alongside potential for interventions to deliver stronger security of AI development.

To guide this work, the project focused on the RAND SL1–SL5 framework, currently one of the most comprehensive frameworks for evaluating AI infrastructure security.

The project followed a workshop-based process to co-develop forecasting questions and generate forecasts. Workshops were held online across a six-week period (May–July 2025), and included subject matter experts from AI policy, cybersecurity, and frontier AI development, alongside world leading trained Swift Centre forecasters.

Workshop process:

• Workshop 1 (May 27): Mapping the landscape of AI security and RAND SL levels

• Workshop 2 (June 5): Developing and refining forecasting questions through group discussion

• Workshop 3: (June 26) Clarifying questions, sharing initial forecasts, discussing divergences

• Workshop 4: (July 3) Review of forecasts, scenario evaluations, and submission of final judgments

• Deadline to submit forecasts was July 7, 2025

This report summarises the results, and outlines a roadmap for scaling this work into a broader research initiative with a possibility to collaborate with strategic partners. 

While Phase 1 focused specifically on two representative security milestones, future phases will expand both the breadth and depth of the work – covering a wider set of security measures and diving deeper into the scenarios and drivers that shape their adoption. This pilot is laying the foundation for a sustained forecasting effort to support decision-makers navigating the evolving landscape of AI security.

Results

QUESTION 1:

Will three or more frontier AI labs publicly commit to external cybersecurity audits aligned with RAND SL3 by the end of 2026?

The final aggregated forecast for this question is 38%.  

There was significant variance across the forecasts provided (with assessments for this question ranging from 9% to 70%), reflecting divergent expectations about whether labs will both adopt SL3-aligned audits and choose to publicize those commitments.. Several key themes emerged from participant rationales and workshop discussions: