AI and the Future of Democratic Defense
AI for DC
Hi
Welcome (back) to The Prompt. AI isn’t well understood, but we learn a lot in our work that can help. In this newsletter, we share some of these learnings with you:
How China’s cyber special ops are maturing
How we disrupted a covert Chinese influence campaign
How we turned research into stronger safeguards
If you find them helpful, make sure you’re signed up for the next issue.
[Data] The security benefits of AI
We focus a lot on the “kitchen-table” impacts and benefits of AI – the ways it’s affecting people’s day-to-day. The jobs it’s disrupting and creating, the greater productivity it’s enabling, and the energy costs and reindustrialization potential associated with it.
But it’s also both a top national security matter, with four in five Americans agreeing that’s the case, and a tool to strengthen our cyber defenses, which is seen as a top use for AI alongside speeding up scientific and medical breakthroughs, according to our Panterra public opinion research.
Below, we share specific use cases from our colleagues who focus on national security and other emerging threats.
[News] Digital repression, exported
Digital repression is going global. And if you’re still measuring China’s influence operations by likes and retweets, you’re missing the point.
Today, we’re releasing our latest global threat report: case studies from recent months that show how we detect and disrupt malicious uses of our models. In this edition, we report the details of a maturing bureaucratized system of “cyber special operations” inside China that blends online manipulation with offline coercion, targeting not only dissidents at home, but critics and senior officials abroad.
At OpenAI, we recently banned a ChatGPT account linked to an individual associated with Chinese law enforcement. The user attempted to use our model to plan a covert influence campaign targeting Japanese Prime Minister Sanae Takaichi after she criticized human rights conditions in Inner Mongolia. Our model refused. But the same user later returned asking for help polishing a status report describing what appeared to be the campaign’s implementation, suggesting it continued without our tool.
We cannot independently verify every claim in the user’s reports. But several elements aligned with observable online activity, including the appearance of rare hashtags tied to the reported operation across platforms such as X, Pixiv, and Blogspot beginning in late October 2025. These posts accused Takaichi of far-right leanings, criticized US tariffs’ impact on Japanese agriculture, and sought to inflame domestic political debates around immigration and economic strain.
Engagement was limited. But that’s not the point. Influence operations are often judged by virality, but this case suggests a different metric: institutional capacity. The materials described a standing function within state-linked security services – a structured program with province-level teams, hundreds of operators, and thousands of coordinated accounts operating across dozens of platforms. This was not a one-off troll campaign. It appeared embedded in routine state security practice.
Across multiple prompts, the user referenced tactics aimed at identifying, pressuring, and silencing critics worldwide: flooding conversations with pro-CCP content; spreading false claims; stoking tensions within dissident communities; and targeting individuals through impersonation and harassment. Many tactics focused on exploiting platforms themselves – abusive reporting of dissidents’ accounts using forged evidence, impersonation accounts to degrade discoverability, and coordinated efforts to provoke targets into responding so their replies could be mass-reported for takedown.
This is not persuasion in the traditional sense. It is the weaponization of platform governance.
The reports also described integrating online and offline pressure: arrests and interrogations inside China; intimidation of family members; pressure applied to employers or landlords; even impersonation of US immigration officials and forged court documents to trigger platform enforcement actions.
We cannot independently confirm all of these claims. But public reporting has documented similar efforts by Chinese security services to silence dissidents abroad through fake accounts, hacking, doxxing, and coordinated harassment. What this case suggests is that such activity may now be routinized, and increasingly enabled by AI tools for monitoring, translation, and content generation.
As AI becomes more embedded in the global information environment, the advantage will accrue not only to whoever builds the most capable systems, but to whoever sets the defaults – the norms, guardrails, and accountability that shape how these tools are used.
Digital repression is already crossing borders. The question is whether democratic societies will adapt fast enough to raise the costs before this model becomes a durable feature of the global information order. – Sasha Baker, Head of National Security Policy, OpenAI
[Insight] Finding the cracks before attackers do
The UK AI Security Institute (UK AISI) recently published research describing a technique called Boundary Point Jailbreaking (BPJ), an automated testing technique that searches for repeatable ways to get around the safeguards built into an AI model. In plain English: BPJ helped researchers find the cracks before bad actors do.
OpenAI acted fast, strengthening our systems to reduce susceptibility to this kind of attack. We translated the research into focused updates, converting the UK AISI’s findings into targeted patches and shipping improvements designed to make this entire class of jailbreak harder to pull off at scale.
This episode underscores an important point: resilience is a process, not a posture. As capabilities advance, so do the methods used to test them. Independent research institutions like UK AISI are valuable because they surface realistic, actionable risks early – the kind you can actually fix – and they raise the baseline for the whole ecosystem.
This kind of responsiveness doesn’t slow progress; it’s how advanced systems mature. The ability to absorb external research, deploy mitigations efficiently, and validate them thoroughly is a core capability for operating widely used AI systems safely.
OpenAI’s work with UK AISI builds on broader engagement with external research and standards organizations, including the US Center for AI Standards and Innovation (CAISI). Those partnerships – reflected in earlier public updates and system documentation – focus on a winning formula: independent evaluation, rapid remediation, and sustained collaboration, before and after deployment.
We’re grateful for our continued collaboration with UK AISI and other external research and standards bodies to surface potential risks early. We will continue working closely together to advance AI security and resilience, strengthening systems as capabilities and testing methods evolve. – Richard Johnson, National Security Risk Mitigation Lead, OpenAI
[About] OpenAI Forum
Explore Forum programming by and for our community of 60,000 AI experts and enthusiasts from across tech, science, medicine, education, government, and other fields.
3:00 PM – 3:45 PM EST on Feb 26
[About] OpenAI Academy
The Academy is OpenAI’s free online and in-person AI literacy trainings for beginners through experts.
OpenAI has called for a nationwide AI education strategy – rooted in local communities in partnership with American companies – to help our current workforce and students become AI-ready, bolster the economy, and secure America’s continued leadership on innovation.
3:00 PM – 3:45 PM EST on Feb 27
[Disclosure]
Graphics created by Base Three using ChatGPT.