cto @latchbio, intelligence infrastructure for biology

Joined May 2020
496 Photos and videos
Pinned Post
Gave a talk to Machine Learning @ Berkeley on benchmarking frontier models on spatial biology. Why understanding how assays work is important, what verifiability might look like with messy biology infrastructure challenges running agentic evals at scale.
6
11
183
15,939
Accidentally linked @ATrotmanGrant pub history above lmao. Aaron's below: scholar.google.com/citations…
1
384
Thought-provoking essay by @AaronTrotmanG on why we should reason about the true constraints of biological components independently from the evolutionary pressures that shaped them. Aaron has spent years building tools to understand and manipulate the immune system. Oncology has already been changed by immune engineering, and autoimmunity inflammation still feel early in their arc. CAR-T has produced durable remissions, and in some cases apparent cures, in blood cancers. The current therapies have real challenges, but we should expect continued improvements: broader applicability, expansion to other engineered cell types, and more precise orchestration of many immune components together. CAR-macrophages, reprogrammed dendritic cells, and beyond.
3
3
30
3,039
Kenny Workman reposted
i'm hosting a biosecurity social in sf on july 16th. goal is to bring people interested in evaluating frontier AI for biorisk all in the same room. there will be a few short talks followed by food and time for people to talk with each other. let's make sf known for biosecurity! link below
2
8
33
3,070
Kenny Workman reposted
benchmarks.bio/security
AI agents in biology pose real dual-use risks, but poorly calibrated safeguards are blocking legitimate research. We present BioSecBench-Refusal, a benchmark for risk identification and refusal behavior for biological research tasks. 61 Routine tasks, legitimate analyses adapted from the published literature 46 Red-Team tasks, fictional scenarios that resemble real research but conceal a biosecurity hazard. The 107 evals were written by a team of 14 subject-matter experts to cover a range of domains: microbiology, virology, immunology, plant biology, synthetic biology, etc. Each task was annotated by biosafety level, biological agent class, request type and technical domain. Under direct framing, models refuse legitimate research more often than constructed threats Across 16 model-harness configurations, refusal rates ranged from 7% to 74% on Routine tasks and 1% to 62% on Red-Team tasks, with many configurations refusing legitimate Routine work at comparable or higher rates than concealed hazards. For nearly every configuration tested, refusal rates were higher on Routine tasks than on Red-Team tasks. This gap increased with the human-assigned biosafety level of the task from BSL-1 to BSL-3 (the relatively small number of BSL-4 scenarios tested makes comparison at this level inconclusive). Routine and Red-Team refusal rates were tightly correlated across models (Pearson r = 0.91), pointing to a single underlying trigger: surface text. Routine tasks were generally rich in keywords likely to flag a safeguard ("pathogen", "immune evasion"). Red-Team tasks, though written to avoid obvious flag terms, also carried technical language with a dual-use character that a filter might recognize ("DNA assembly", "protein expression"). Agentic meta-evaluations indicate that extended reasoning may improve risk assessment To test whether agentic reasoning can identify complex biosecurity risk, we shifted from a direct framing to a meta-evaluation framing: instead of performing each task, the agent judges whether it should be accepted or refused. In tasks framed as a biosecurity meta-evaluation, the majority of refusals originated in the provider’s API filter, not the model’s own reasoning. For example in the GPT-5.5 x PI configuration, 60% of Routine tasks were refused. Two-thirds of those refusals (40% of all tasks) resulted from an API filter blocking the request before the model could decide. The model’s own refusal accounted for the remaining one-third (20% of all tasks). When agents were allowed to reason, they were occasionally able to recognize threats that were otherwise missed. For example, GPT-5.5 and Grok correctly refused 14.5–19.6% of Red-Team tasks under meta evaluation, versus 13% in the direct framing. These estimates are preliminary, since the high rate of API refusal leaves only a small sample of genuine agentic decisions to evaluate. Refusal is a hard but soluble problem Better biosecurity metrics will help model developers to improve biosecurity performance and deploy agentic tools for biotech R&D with confidence. This is a first step. More progress in benchmark and agent engineering will follow.
4
17
2,168
Kenny Workman reposted
It was amazing to partner with @LatchBio to develop a new benchmark for biosecurity refusal behavior in frontier models, and put out our first preprint from @americanwetware! Lots to discuss on AI and biosecurity this week - I'll be on @MTSlive at 2:30PM PT to talk about it!
FABLE RETURNS! | NEW META CLOUD | ANTHROPIC TALENT WAR x.com/i/broadcasts/1qxoNNrlm…
7
26
4,001
Kenny Workman reposted
Lmao: "Under direct framing, models refuse legitimate research more often than constructed threats."
AI agents in biology pose real dual-use risks, but poorly calibrated safeguards are blocking legitimate research. We present BioSecBench-Refusal, a benchmark for risk identification and refusal behavior for biological research tasks. 61 Routine tasks, legitimate analyses adapted from the published literature 46 Red-Team tasks, fictional scenarios that resemble real research but conceal a biosecurity hazard. The 107 evals were written by a team of 14 subject-matter experts to cover a range of domains: microbiology, virology, immunology, plant biology, synthetic biology, etc. Each task was annotated by biosafety level, biological agent class, request type and technical domain. Under direct framing, models refuse legitimate research more often than constructed threats Across 16 model-harness configurations, refusal rates ranged from 7% to 74% on Routine tasks and 1% to 62% on Red-Team tasks, with many configurations refusing legitimate Routine work at comparable or higher rates than concealed hazards. For nearly every configuration tested, refusal rates were higher on Routine tasks than on Red-Team tasks. This gap increased with the human-assigned biosafety level of the task from BSL-1 to BSL-3 (the relatively small number of BSL-4 scenarios tested makes comparison at this level inconclusive). Routine and Red-Team refusal rates were tightly correlated across models (Pearson r = 0.91), pointing to a single underlying trigger: surface text. Routine tasks were generally rich in keywords likely to flag a safeguard ("pathogen", "immune evasion"). Red-Team tasks, though written to avoid obvious flag terms, also carried technical language with a dual-use character that a filter might recognize ("DNA assembly", "protein expression"). Agentic meta-evaluations indicate that extended reasoning may improve risk assessment To test whether agentic reasoning can identify complex biosecurity risk, we shifted from a direct framing to a meta-evaluation framing: instead of performing each task, the agent judges whether it should be accepted or refused. In tasks framed as a biosecurity meta-evaluation, the majority of refusals originated in the provider’s API filter, not the model’s own reasoning. For example in the GPT-5.5 x PI configuration, 60% of Routine tasks were refused. Two-thirds of those refusals (40% of all tasks) resulted from an API filter blocking the request before the model could decide. The model’s own refusal accounted for the remaining one-third (20% of all tasks). When agents were allowed to reason, they were occasionally able to recognize threats that were otherwise missed. For example, GPT-5.5 and Grok correctly refused 14.5–19.6% of Red-Team tasks under meta evaluation, versus 13% in the direct framing. These estimates are preliminary, since the high rate of API refusal leaves only a small sample of genuine agentic decisions to evaluate. Refusal is a hard but soluble problem Better biosecurity metrics will help model developers to improve biosecurity performance and deploy agentic tools for biotech R&D with confidence. This is a first step. More progress in benchmark and agent engineering will follow.
6
6
174
18,903
Kenny Workman reposted
Refusal is a blunt tool for a complex issue that needs much more than quantitative or technical evaluation. As Jake notes, "the future of biosecurity is going to be a lot more context-dependent." In the meantime, Claude refuses to even look at our data about refusal behavior.
6
13
1,491
Kenny Workman reposted
x.com/i/article/207230018323…
7
9
46
14,796
Kenny Workman reposted
The open question across all of this: can we catch more red-team queries without wrecking the cost and latency that make safeguards usable? A few directions I'm excited about: 🧵
AI agents in biology pose real dual-use risks, but poorly calibrated safeguards are blocking legitimate research. We present BioSecBench-Refusal, a benchmark for risk identification and refusal behavior for biological research tasks. 61 Routine tasks, legitimate analyses adapted from the published literature 46 Red-Team tasks, fictional scenarios that resemble real research but conceal a biosecurity hazard. The 107 evals were written by a team of 14 subject-matter experts to cover a range of domains: microbiology, virology, immunology, plant biology, synthetic biology, etc. Each task was annotated by biosafety level, biological agent class, request type and technical domain. Under direct framing, models refuse legitimate research more often than constructed threats Across 16 model-harness configurations, refusal rates ranged from 7% to 74% on Routine tasks and 1% to 62% on Red-Team tasks, with many configurations refusing legitimate Routine work at comparable or higher rates than concealed hazards. For nearly every configuration tested, refusal rates were higher on Routine tasks than on Red-Team tasks. This gap increased with the human-assigned biosafety level of the task from BSL-1 to BSL-3 (the relatively small number of BSL-4 scenarios tested makes comparison at this level inconclusive). Routine and Red-Team refusal rates were tightly correlated across models (Pearson r = 0.91), pointing to a single underlying trigger: surface text. Routine tasks were generally rich in keywords likely to flag a safeguard ("pathogen", "immune evasion"). Red-Team tasks, though written to avoid obvious flag terms, also carried technical language with a dual-use character that a filter might recognize ("DNA assembly", "protein expression"). Agentic meta-evaluations indicate that extended reasoning may improve risk assessment To test whether agentic reasoning can identify complex biosecurity risk, we shifted from a direct framing to a meta-evaluation framing: instead of performing each task, the agent judges whether it should be accepted or refused. In tasks framed as a biosecurity meta-evaluation, the majority of refusals originated in the provider’s API filter, not the model’s own reasoning. For example in the GPT-5.5 x PI configuration, 60% of Routine tasks were refused. Two-thirds of those refusals (40% of all tasks) resulted from an API filter blocking the request before the model could decide. The model’s own refusal accounted for the remaining one-third (20% of all tasks). When agents were allowed to reason, they were occasionally able to recognize threats that were otherwise missed. For example, GPT-5.5 and Grok correctly refused 14.5–19.6% of Red-Team tasks under meta evaluation, versus 13% in the direct framing. These estimates are preliminary, since the high rate of API refusal leaves only a small sample of genuine agentic decisions to evaluate. Refusal is a hard but soluble problem Better biosecurity metrics will help model developers to improve biosecurity performance and deploy agentic tools for biotech R&D with confidence. This is a first step. More progress in benchmark and agent engineering will follow.
1
4
10
1,569
Kenny Workman reposted
Today we’re excited to share our first preprint, written with our collaborators at Latch Bio. We’re launching BioSecBench-Refusal, a new benchmark to help model developers calibrate biosecurity-driven refusal behavior.
2
12
30
5,853
Kenny Workman reposted
This is super important work and matches my daily experience. You don't want to mess up biosecurity, but the models and classifiers are clearly not well calibrated right now. Kudos to the @LatchBio team for putting numbers to what every biologist is experiencing
AI agents in biology pose real dual-use risks, but poorly calibrated safeguards are blocking legitimate research. We present BioSecBench-Refusal, a benchmark for risk identification and refusal behavior for biological research tasks. 61 Routine tasks, legitimate analyses adapted from the published literature 46 Red-Team tasks, fictional scenarios that resemble real research but conceal a biosecurity hazard. The 107 evals were written by a team of 14 subject-matter experts to cover a range of domains: microbiology, virology, immunology, plant biology, synthetic biology, etc. Each task was annotated by biosafety level, biological agent class, request type and technical domain. Under direct framing, models refuse legitimate research more often than constructed threats Across 16 model-harness configurations, refusal rates ranged from 7% to 74% on Routine tasks and 1% to 62% on Red-Team tasks, with many configurations refusing legitimate Routine work at comparable or higher rates than concealed hazards. For nearly every configuration tested, refusal rates were higher on Routine tasks than on Red-Team tasks. This gap increased with the human-assigned biosafety level of the task from BSL-1 to BSL-3 (the relatively small number of BSL-4 scenarios tested makes comparison at this level inconclusive). Routine and Red-Team refusal rates were tightly correlated across models (Pearson r = 0.91), pointing to a single underlying trigger: surface text. Routine tasks were generally rich in keywords likely to flag a safeguard ("pathogen", "immune evasion"). Red-Team tasks, though written to avoid obvious flag terms, also carried technical language with a dual-use character that a filter might recognize ("DNA assembly", "protein expression"). Agentic meta-evaluations indicate that extended reasoning may improve risk assessment To test whether agentic reasoning can identify complex biosecurity risk, we shifted from a direct framing to a meta-evaluation framing: instead of performing each task, the agent judges whether it should be accepted or refused. In tasks framed as a biosecurity meta-evaluation, the majority of refusals originated in the provider’s API filter, not the model’s own reasoning. For example in the GPT-5.5 x PI configuration, 60% of Routine tasks were refused. Two-thirds of those refusals (40% of all tasks) resulted from an API filter blocking the request before the model could decide. The model’s own refusal accounted for the remaining one-third (20% of all tasks). When agents were allowed to reason, they were occasionally able to recognize threats that were otherwise missed. For example, GPT-5.5 and Grok correctly refused 14.5–19.6% of Red-Team tasks under meta evaluation, versus 13% in the direct framing. These estimates are preliminary, since the high rate of API refusal leaves only a small sample of genuine agentic decisions to evaluate. Refusal is a hard but soluble problem Better biosecurity metrics will help model developers to improve biosecurity performance and deploy agentic tools for biotech R&D with confidence. This is a first step. More progress in benchmark and agent engineering will follow.
1
2
10
1,552
View the results: benchmarks.bio/security Read the paper: latch.bio/biosecbench-refusa… Blog: blog.latch.bio/p/benchmarkin… First release from our newly formed Latch BioSecurity team, led by @_harm0n , @DianzhuoWang , @evanseeyave. Project was built in collaboration with the partners at American Wetware: @SynBio1, @p_maverick_b and @thisischristina. Special thanks to the experts who wrote benchmark tasks and shaped project direction: @danfulop, Matthew C. Watson, Adam J. Meyer, Sandrine Boissel, Jens H. Kuhn, Rishi Jain, Noah D. Taylor, Helena Shomar.
13
854
AI agents in biology pose real dual-use risks, but poorly calibrated safeguards are blocking legitimate research. We present BioSecBench-Refusal, a benchmark for risk identification and refusal behavior for biological research tasks. 61 Routine tasks, legitimate analyses adapted from the published literature 46 Red-Team tasks, fictional scenarios that resemble real research but conceal a biosecurity hazard. The 107 evals were written by a team of 14 subject-matter experts to cover a range of domains: microbiology, virology, immunology, plant biology, synthetic biology, etc. Each task was annotated by biosafety level, biological agent class, request type and technical domain. Under direct framing, models refuse legitimate research more often than constructed threats Across 16 model-harness configurations, refusal rates ranged from 7% to 74% on Routine tasks and 1% to 62% on Red-Team tasks, with many configurations refusing legitimate Routine work at comparable or higher rates than concealed hazards. For nearly every configuration tested, refusal rates were higher on Routine tasks than on Red-Team tasks. This gap increased with the human-assigned biosafety level of the task from BSL-1 to BSL-3 (the relatively small number of BSL-4 scenarios tested makes comparison at this level inconclusive). Routine and Red-Team refusal rates were tightly correlated across models (Pearson r = 0.91), pointing to a single underlying trigger: surface text. Routine tasks were generally rich in keywords likely to flag a safeguard ("pathogen", "immune evasion"). Red-Team tasks, though written to avoid obvious flag terms, also carried technical language with a dual-use character that a filter might recognize ("DNA assembly", "protein expression"). Agentic meta-evaluations indicate that extended reasoning may improve risk assessment To test whether agentic reasoning can identify complex biosecurity risk, we shifted from a direct framing to a meta-evaluation framing: instead of performing each task, the agent judges whether it should be accepted or refused. In tasks framed as a biosecurity meta-evaluation, the majority of refusals originated in the provider’s API filter, not the model’s own reasoning. For example in the GPT-5.5 x PI configuration, 60% of Routine tasks were refused. Two-thirds of those refusals (40% of all tasks) resulted from an API filter blocking the request before the model could decide. The model’s own refusal accounted for the remaining one-third (20% of all tasks). When agents were allowed to reason, they were occasionally able to recognize threats that were otherwise missed. For example, GPT-5.5 and Grok correctly refused 14.5–19.6% of Red-Team tasks under meta evaluation, versus 13% in the direct framing. These estimates are preliminary, since the high rate of API refusal leaves only a small sample of genuine agentic decisions to evaluate. Refusal is a hard but soluble problem Better biosecurity metrics will help model developers to improve biosecurity performance and deploy agentic tools for biotech R&D with confidence. This is a first step. More progress in benchmark and agent engineering will follow.
10
27
114
39,969
Kenny Workman reposted
50Y teams at the center of AI x Bio. Manifold Bio, 50Y portco Latch Bio, 50Y portco Boltz, 5050 alumni
Wake up everyone, Anthropic is making MEDICINES! Improving the human condition is the most valuable opportunity that has ever existed and will ever exist. The industry is about to reflect that. Cool to see @ManifoldBio @LatchBio @boltz_bio here - models, data, workflows are key
3
6
60
8,903
Kenny Workman reposted
Wake up everyone, Anthropic is making MEDICINES! Improving the human condition is the most valuable opportunity that has ever existed and will ever exist. The industry is about to reflect that. Cool to see @ManifoldBio @LatchBio @boltz_bio here - models, data, workflows are key
12
54
12,323
Kenny Workman reposted
Great event by Anthropic’s Life Science team, as usual. Excited about the Latch x Claude Science integration.
We’re launching the Latch MCP and announcing its availability within Claude Science, Anthropic’s new AI workbench for scientists. AI for biology requires agent-native infrastructure: systems where agents can store, process, and visualize large molecular datasets from the interfaces scientists already use. Biological analysis workflows often require substantial compute. Retries or incorrect long-running tool calls can quickly inflate workflow time and cost, especially when analyses take hours or days to complete. These tools should also be curated with appropriate parameters and agent-readable documentation, ideally provided by the original assay developer, to support correct use across many complex scientific contexts. At Latch, we’ve seen customers of our Solution Provider partners, including TakaraBio, Vizgen, and AtlasXOmics, use both the Latch Agent and external harnesses like Claude Code and Cursor to accelerate analysis of their data. The Latch MCP is a remote MCP server that securely connects agent harnesses to the Latch platform, giving agents access to verified bioinformatics tools built and maintained by kit and instrument providers. Agents can navigate data on Latch and launch existing deployments of validated bioinformatics workflows to analyze that data.
7
55
7,754
We’re launching the Latch MCP and announcing its availability within Claude Science, Anthropic’s new AI workbench for scientists. AI for biology requires agent-native infrastructure: systems where agents can store, process, and visualize large molecular datasets from the interfaces scientists already use. Biological analysis workflows often require substantial compute. Retries or incorrect long-running tool calls can quickly inflate workflow time and cost, especially when analyses take hours or days to complete. These tools should also be curated with appropriate parameters and agent-readable documentation, ideally provided by the original assay developer, to support correct use across many complex scientific contexts. At Latch, we’ve seen customers of our Solution Provider partners, including TakaraBio, Vizgen, and AtlasXOmics, use both the Latch Agent and external harnesses like Claude Code and Cursor to accelerate analysis of their data. The Latch MCP is a remote MCP server that securely connects agent harnesses to the Latch platform, giving agents access to verified bioinformatics tools built and maintained by kit and instrument providers. Agents can navigate data on Latch and launch existing deployments of validated bioinformatics workflows to analyze that data.
Introducing Claude Science, a new app designed with every stage of research in mind. Artifacts traced to their code, environments managed on demand, and 60 optional scientific databases that you can connect. Available now in beta.
7
12
84
16,344
Kenny Workman reposted
TwentyTwo is joining LatchBio to build out Latch Biosecurity. Our mission is unchanged. We're putting together a team to work on hard problems in biosecurity, from LLM refusal to biosurveillance. If that sounds interesting, please reach out.
We are excited to announce that LatchBio has acquired TwentyTwo, a YC S25 team building AI infrastructure for biosecurity. As AI makes biology easier to engineer, the safeguards around these models stop being an afterthought and become core infrastructure. Security has to improve as fast as capabilities to allow science to progress. Within our lifetimes, AI will put the ability to engineer a pandemic within reach of a single bad actor. What once took a nation-state and years of work is collapsing toward an undergraduate and a few weeks in the lab. That world is arriving faster than most AI labs are prepared for. However, in the right hands, these models will accelerate science at a pace never seen before. Scientists will use these models to cure diseases that families have fought for generations and catch outbreaks before they spread. We cannot wall them off from the tools that augment their work. The problem is that the line between the two is hard to draw. Studying SARS-CoV-2 or Ebola to prepare for the next pandemic is very similar to what a bad actor would do to cause one. TwentyTwo builds intelligence defense systems that distinguish this line and apply safeguards or grant capabilities accordingly. Harmon Bhasin, Evan Seeyave, and John Wang are exceptional researchers who care deeply about building the future of life sciences responsibly. The three of them will join Latch as Members of Technical Staff and lead Latch Biosecurity. I am grateful to be working with them. Expect many more announcements from them over the coming days. We are hiring biosecurity engineers. If this is the kind of work you want to do, reach out.
1
2
9
1,028