← All Predictions

Leading AI lab progresses toward RAND SL3 security

Emerging · Security · 55% confidence
Predicted: Mid-to-late 2026 (WSL 3.0); SSL 3.0 not until ~Apr 2027 · Updated: 2026-04-03 · Source: ai-2027.com, Early 2026: Coding Automation
OpenBrain's security level is typical of a fast-growing ~3,000 person tech company (RAND's SL2). They are working hard to protect their weights and secrets from insider threats and top cybercrime syndicates (SL3).

What AI 2027 Predicted

The scenario describes a specific security progression at the leading AI lab. In early 2026, the lab’s security is at RAND’s Security Level 2 (SL2) — typical of a fast-growing tech company — and they are actively working to reach SL3, which involves protecting model weights from “insider threats and top cybercrime syndicates.” The RAND framework defines security levels as:

  • SL2: Protects against opportunistic attackers and basic cybercrime
  • SL3: Protects against sophisticated persistent threats, insider threats, and top cybercrime organizations
  • SL4: Protects against nation-state actors (intelligence agencies)

The implication is that in early 2026, labs are vulnerable to nation-state theft (which plays out later in the scenario when China steals model weights).

How We Track This

We monitor:

  • RAND security level assessments and recommendations
  • AI lab security disclosures and commitments
  • Third-party security audits of frontier labs
  • Cybersecurity incidents at AI companies
  • AI Safety Institute evaluations of lab security practices
  • Lab security commitments in safety policies (RSPs, Preparedness Frameworks)

Current Evidence

Evidence suggests labs are indeed operating in the SL2–SL3 transition zone, with significant pressure to improve:

RAND framework adoption: RAND published its “Playbook for Securing AI Model Weights” (May 2024) defining the SL1–SL5 framework. LessWrong analysis noted that lab commitments range from “generally aligned with RAND SL2” to “RAND SL4,” with most current practice at SL2–SL3. The analysis concluded “AI companies aren’t planning to secure critical model weights” at levels commensurate with the threat.

Anthropic espionage incident: In September 2025, Anthropic detected a “highly sophisticated espionage campaign” targeting its systems. The attackers used AI’s agentic capabilities “to an unprecedented degree — using AI not just as an advisor, but to execute the cyberattacks themselves.” This incident validated the scenario’s concern about labs being targeted and demonstrated the kind of threats SL3 is designed to address.

Lab security investments: Both OpenAI and Anthropic have publicly committed to “continuing to invest in cybersecurity and insider threat safeguards to protect proprietary and unreleased model weights.” VentureBeat (Dec 2025) reported on the growing obsession with model weight security at both companies.

AI 2027’s own security forecast acknowledges that “we expect security to be less of a priority through 2025” given that DeepSeek pushed the open-source frontier closer to US labs, reducing the marginal value of weight theft.

Stargate & DOD infrastructure investments: OpenAI’s Stargate project (~10GW planned capacity across multiple sites) represents the largest single AI infrastructure buildout, requiring SL3-level physical and cyber security by default. The DOD contract expansion and national security partnerships create additional compliance pressure toward higher security levels. These are concrete, large-scale SL3 infrastructure investments — the physical instantiation of the security levels this prediction tracks.

Safety policy erosion: TIME reported (Mar 2026) that Anthropic dropped its flagship safety pledge, noting the company may release future models “without ironclad safety guarantees.” This raises questions about whether security investments keep pace even as safety commitments weaken.

Sources:

Counterevidence & Limitations

  • No independent, public RAND SL assessment of any specific lab has been published — we’re inferring security levels from indirect evidence
  • Labs may be further along in security upgrades than their public statements suggest (security improvements are often kept quiet for obvious reasons)
  • The Anthropic espionage incident could indicate either SL2 vulnerability (it happened) or SL3 capability (they detected and stopped it)
  • The RAND framework is advisory, not regulatory — labs adopt it voluntarily and may interpret levels differently
  • DeepSeek’s open-source releases arguably reduce the strategic value of weight theft, potentially slowing security investment
  • The political focus on safety guardrails (Anthropic-DOD) may be diverting attention from weight security

What Would Change Our Assessment

  • Upgrade to “on-track”: A major lab publicly claims or is independently assessed at SL3; government mandates SL3+ for frontier models
  • Upgrade to “confirmed”: Multiple labs independently verified at SL3 by RAND or equivalent third-party assessment
  • Downgrade to “behind”: A successful large-scale weight theft demonstrating SL2-level vulnerability persists; labs publicly acknowledge they haven’t reached SL3

Update History

DateUpdate
2025-05Anthropic designates Claude Opus 4 as the first ASL-3 model (May 22). ASL-3 is defined as the threshold where a model could provide meaningful uplift toward weapons of mass destruction. This is the first time a frontier model has crossed this threshold with binding operational consequences — enhanced security and deployment requirements now apply.
2025-12Anthropic espionage incident validates the threat model for insider threats at AI labs.
2026-03Labs appear in SL2–SL3 transition. Significant security investments underway but no public SL3 certification achieved yet.

Related Predictions

Not Yet Testable AI model weights stolen by nation-state February 2027 On Track Public unaware of best AI capabilities Ongoing through 2027 On Track AI reaches near-best-human hacking capability Early 2027 On Track AI scores 85% on Cybench Early 2026