AI firms are hiring weapons experts to prevent ‘catastrophic misuse’ - Euronews.com

Anthropic and OpenAI are both hiring CBRN weapons experts — and the job postings reveal something the press releases do not: this is not theoretical safety theater. These labs are responding to a specific capability threshold their models have already crossed.

Anthropic posted a LinkedIn job on March 7: Policy Manager, Chemical Weapons and High-Yield Explosives. The posting, reviewed by type0 and confirmed by multiple outlets, offers a New York-based salary between $245,000 and $285,000, according to Digit Fi reporting that cited the original LinkedIn listing. It asks for a minimum of five years of experience in chemical weapons and/or explosives defense, knowledge of radiological dispersal devices, and someone who will design and monitor the guardrails for how Claude responds to prompts about chemical weapons and explosives — and conduct rapid responses to escalations in those prompts. The hire will evaluate new risk evaluations that company leadership can "trust during high-stakes launches."

OpenAI is advertising a Researcher, Frontier Biological and Chemical Risks role, and a Threat Modeler position, with a salary ceiling north of $455,000, according to its careers page. The Threat Modeler position gives one person primary ownership of "identifying, modelling, and forecasting frontier risks" and serves as "a central node connecting technical, governance, and policy perspectives on prioritisation." Both roles sit within OpenAI's Preparedness team, which monitors for catastrophic risks related to frontier AI models.

The timing is not accidental. These postings land amid the most public rupture between a frontier AI lab and the US government in the industry's history — and amid an escalating bombing campaign against Iran that both companies' models are already embedded in.

THE CAPABILITY QUESTION

The job requirements are revealing precisely because they're specific. These are not safety researchers broadly concerned about AI risk. They are domain experts in the chemistry and engineering of weapons that, in the wrong hands, could kill tens of thousands of people.

Anthropic's own CEO Dario Amodei acknowledged in his February statement on the DoW standoff that the reason Claude needs these guardrails is because the model already knows things. "Claude is extensively deployed across the Department of War and other national security agencies for mission-critical applications, such as intelligence analysis, modeling and simulation, operational planning, cyber operations, and more." The model already handles queries about chemical weapons. The question is whether the guardrails built by a domain expert are more robust than the alternative — an AI deliberately kept ignorant of CBRN topics, which adversaries could then query without restraint.

OpenAI makes a similar argument in its own DoW agreement post: its red lines are enforceable because of deployment architecture (cloud-only), contract language, and human oversight via cleared OpenAI personnel in the loop.

But the question of whether teaching an AI more about weapons makes it safer or more dangerous is not settled. Dr. Stephanie Hare, a tech researcher quoted across multiple outlets including the BBC and ICO Optics, has raised the concern directly. "Is it ever safe to use AI systems to handle sensitive chemicals and explosives information, including dirty bombs and other radiological weapons?" Hare asked. "There is no international treaty or other regulation for this type of work and the use of AI with these types of weapons. All of this is happening out of sight."

THE "INTENTIONAL" ESCAPE HATCH

The deepest skepticism about both companies' assurances comes not from AI safety researchers but from former national security lawyers and former Pentagon officials — people who have read this kind of language before.

The Intercept spoke with Brad Carson, former Under Secretary of the Army and co-founder of a super PAC that lobbies for AI safety regulation, who said: "I'm not confident in the language at all. And in some parts I don't even believe it." Carson noted that OpenAI's contract language restricting NSA access would ostensibly prevent intelligence agencies from using OpenAI's tools for pressing operational needs — and said he did not believe that provision was actually in the contract.

Former DOJ National Security Division attorney Alan Rozenshtein told The Intercept: "There is nothing OpenAI can do to clarify this except release the contract." He described OpenAI's attempt to sell its deal to the public without letting the public read it as "not sustainable" and "bizarre."

The word doing the most work in OpenAI's language, critics say, is "intentional." The company says its systems will not be "intentionally used" for domestic surveillance. Former national security lawyers note this is precisely the escape hatch that has historically provided cover for programs that vacuumed up Americans' data incidentally — without technically being "intentional."

The parallel is not abstract. In a March 2013 Senate hearing, then-Director of National Intelligence James Clapper was asked under oath whether the NSA collects data on millions of Americans. He replied: "No, sir." When pressed, he added: "Not wittingly." A few months later, Snowden disclosures revealed the agency routinely collected vast quantities of information on Americans as a routine practice. The word "wittingly" provided the same miles-wide wall of plausible deniability that "intentionally" now provides.

The DoW has purchased Americans' location data, web browsing data, and movements at scale through commercially acquired sources, without warrants, documented across multiple investigations and a letter from Senator Ron Wyden to the Pentagon. Wyden told The Intercept: "It is a fact that the Pentagon has both purchased and analyzed vast amounts of Americans' location, web browsing, and other data, for years. I've personally revealed several of those programs, with the help of brave whistleblowers. Anyone who claims that isn't happening simply doesn't know what they're talking about."

TWO APPROACHES, ONE CUSTOMER

The Anthropic-OpenAI split on the DoW contract is well covered, but the underlying philosophical divergence is worth spelling out.

Anthropic's approach: refuse certain deployments contractually, full stop. The company's position is that mass domestic surveillance and fully autonomous weapons are outside the bounds of what today's technology can safely handle, and it will not provide a product that enables either. This is why it went to court when the DoW demanded those safeguards removed.

OpenAI's approach: deploy with safeguards — cloud-only architecture, a safety stack the company controls, cleared OpenAI personnel in the loop, and contract language referencing existing laws and DoD directives. The company says this multi-layered approach is more durable than Anthropic's blanket refusal.

The labs and the DoW disagree sharply on which is more enforceable. The DoW's position, stated in its AI strategy document, is that it will only contract with AI companies that accede to "any lawful use" and remove safeguards in the cases Anthropic has specified. Emil Michael, the Pentagon's Chief Technology Officer, explained the concern in stark terms: "We can't have a company that has a different policy preference pollute the supply chain so our war fighters are getting ineffective weapons, ineffective body armor, ineffective protection." He described Anthropic's "constitution" — the formal ethical framework that governs how Claude evaluates requests — as "ideological contamination" embedded in the model.

THE HUMAN IN THE LOOP — OR NOT

One detail from the reporting deserves particular attention. CNBC reported that OpenAI CEO Sam Altman told staff in an all-hands meeting that the Pentagon made clear to the company it does not "get to make operational decisions" regarding how its technology is used. "So maybe you think the Iran strike was good and the Venezuela invasion was bad," Altman said Tuesday, according to a partial transcript of the meeting reviewed by CNBC. "You don't get to weigh in on that." The meeting occurred four days after OpenAI announced its DOD arrangement.

Altman told employees that the Pentagon respects OpenAI's technical expertise, wants input about where its models are a good fit and will allow the company to build the safety stack it deems appropriate. But Altman said the agency has also made clear that operational decisions rest with Secretary Pete Hegseth.

That is not a secondary concern. If the Secretary of Defense holds ultimate operational authority, then the "human in the loop" that OpenAI points to as its key safeguard is the Secretary of Defense — the same person who ordered the bombing of Iran and has publicly advocated for aggressive use of military force. The loop is closed in a way that should give anyone pause who thinks the safety architecture is doing meaningful work.

Meanwhile, the US government is reportedly using Claude for target selection and analysis in its ongoing bombing campaign against Iran. The Washington Post reported on March 4 that Claude generated approximately 1,000 prioritized targets on the first day of operations alone, synthesizing satellite imagery, signals intelligence and surveillance feeds in real time to produce target packages. Anthropic has not objected to this use. Amodei has said the company supports American frontline warfighters and that its objection is narrowly limited to two categories: mass domestic surveillance and fully autonomous weapons with no human in the loop. Active combat operations that select and engage targets with a human in the loop appear to fall on the acceptable side of that line, however uncomfortable that makes the framing of Anthropic's "safety" positioning.

WHAT THE HIRING ACTUALLY SIGNALS

The job postings, read in full, suggest the labs believe frontier models are approaching — or have reached — a capability threshold where sufficiently detailed conversations about weapons synthesis are possible without external references. The guardrails question is no longer theoretical.

What's less discussed is what the hiring push signals about the labs' own assessment of their current guardrails. They're not confident enough in their existing classifiers and safety measures to handle CBRN queries at scale. They need domain experts — people who know what a radiological dispersal device is, how a chemical agent disperses, what the failure modes of a high-yield explosive are — to build better ones.

That is an admission, dressed up as proactive diligence.

The experts Anthropic and OpenAI are hiring will be drawing those lines — one guardrail at a time. The question is who holds them accountable when the lines are crossed.