Applications are now closed.
A ~200 person event alongside DEF CON 33 bringing together researchers, engineers, and policymakers working to secure AI systems.
Core themes: AI model weight security, cyber capability evaluations, hardware-enabled verification, AI supply chain security, attacks on AI systems, AI as an insider risk, adversarial ML, threat models.
Finding the venue
On entering the casino, head to the Fantasy tower (NW from the entrance). Tell security you’re going to the AI Security Forum. Head to Floor 2 in the elevators marked for the meeting rooms. Come out of the lift area - turn left and head towards the Grand Ballroom, past the business centre.
Schedule
Please note that times of some sessions may change.
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
9:00am - 10:00am | Registration & Breakfast | Ballroom Foyer | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
10:00am - 10:15am | Opening Remarks | Grand Ballroom 4-6 | General | ||
10:15am - 10:35am | The State of AI Security | Sella will share highlights on how the field of frontier AI security has evolved in the past year - including in industry, government, civil society, and more. | Grand Ballroom 4-6 | General | |
10:40am - 11:00am | The Path to ASL-3 at Anthropic | A retroactive look at the Anthropic ASL-3 attainment and challenges. | Grand Ballroom 4-6 | General | |
11:05am - 11:25am | How to Securely Deploy Agents that Make Sensitive Decisions in Untrusted Environments | To fully harness the potential of AI automation and maximize innovation in novel AI application areas, we need AI colleagues and personal assistants capable of making sensitive decisions in untrusted environments that may contain adversarial data. In my talk I’ll argue that while there is no universal, risk-free technical solution to this challenge, achieving agent security is not fundamentally different from previous technical security challenges, which similarly lacked risk-free solutions and required a multi-disciplinary and evolving set of strategies to achieve an acceptable—if not perfect—balance between security and utility. To flesh this out, I’ll draw parallels to how the security community has historically managed issues such as malware, software security, and ransomware protection. For years, the industry sought universal solutions for such problems, but success came from a continuous, multi-disciplinary, dialectical, "all of the above" approach that reduced risk to an acceptable, though not perfect, steady state. | Grand Ballroom 4-6 | General | |
11:30am - 11:50am | Patching Critical Infrastructure: Lessons from DARPA’s AI Cyber Challenge | DARPA and ARPA-H are on a mission to advance AI-driven cybersecurity and usher in a future where we can patch vulnerabilities before they can be exploited. AI Cyber Challenge Program Manager Andrew Carney will deliver the latest news about the competition and discuss how the program is driving the innovation of responsible AI systems designed to address some of our most important digital issues today: the security of critical infrastructure and software supply chains. | Grand Ballroom 4-6 | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
12:00pm - 1:30pm | Lunch | Grand Ballroom 1-3 | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
1:30pm - 2:30pm | Workshop: Building Agentic Evals with Inspect Cyber | In this hands-on workshop, you'll explore Inspect AI's capabilities for streamlining agentic evaluation development and build your own eval to run locally with Docker. Before you arrive: * Install Docker on your laptop or virtual machine * Test the installation: `docker run hello-world` | Harper C-D | Offensive Security / Evals | |
1:30pm - 2:30pm | Open Problems in AI Verification and Technical Transparency | Verifying a compute cluster's workloads and results could advance multiple goals, including: preventing model exfiltration, detecting rogue deployments, and verifying international agreements on AI. This session will give a technical overview of the state of the field and open challenges, based on recent research (https://www.arxiv.org/abs/2507.15916), followed by Q&A and brainstorming concrete options for getting involved. The session will focus on software and ML problems. | Harper A-B | Hardware Enabled Verification | |
1:30pm - 2:00pm | Fireside Chat: Threat Modeling in the Age of Autonomous Systems - Rethinking Risk When the System Evolves | From prompt exploits to agentic behaviour, how defenders must reshape assumptions, frameworks, and collaboration to meet AI-native threats head-on. | Grand Ballroom 4-6 | AI for defensive security | |
2:00pm - 2:30pm | Securing AI Infrastructure Against Hardware Supply Chain Attacks | Can supply chains be trusted? This talk highlights how integrity can quietly fail from design to decommission, and why that matters for AI security, compliance, and export controls. Learn what you can implement today and what you can work on to advance the state of the art. | Madison A-C | Securing AI Infrastructure | |
2:00pm - 2:30pm | Offensive AI: Welcome to the Party | Initially called out in the Biden Executive Order, the capabilities of models to execute offensive security tasks has been hotly debated. It is now 2025, and several examples of models not just performing these tasks, but excelling at them have been shown. This talk will discuss our findings across reversing, multi-step network attacks, bug bounty, threat intel, and more. This technology is multi-use at its core, and offers uplift to all sides. | Grand Ballroom 4-6 | Offensive Security / Evals |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
2:30pm - 3:00pm | Break & Demos | Ballroom Foyer | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
3:00pm - 4:00pm | Workshop: Building Offensive Cyber Agents | Everyone wants to build cyber agents, but they don’t have the building blocks to go from PoC to production. In this workshop attendees will learn how to use our open-source frameworks to deploy agents on real world offensive tasks. Attendee requirements: Bring your laptop and make sure you have python installed. | Harper A-B | Offensive Security / Evals | |
3:00pm - 4:00pm | Tabletop Exercise: Security & AI | The impact of superhuman AI over the next decade may be enormous, exceeding that of the Industrial Revolution. In this Tabletop exercise, we will explore how Security measures may be critical for AI progress. We'll simulate decisions and developments for labs, governments and state actors and get a glimpse of how impactful they might be. | Harper C-D | Securing AI Infrastructure | |
3:00pm - 3:30pm | Mitigating Insider Threat from AI: A Novel Computer Security Challenge | AI developers will need to handle the possibility that their AI agents are conspiring against them. This problem has some fundamental structural differences from the most important security problems today, and will require creative and novel solutions. In this talk I'll explain how I think this problem compares to other security settings, and describe our prospects for solving it. | Grand Ballroom 4-6 | AI for defensive security | |
3:00pm - 3:30pm | Fireside Chat: Founding Fields and Companies to Secure AI Model Weights | Dan co-wrote the securing model weights report (which has influenced the work of several speakers at this forum) and founded Pattern Labs which (amongst other things) aims to radically improve the security posture of AI companies. Dan and Caleb will chat about his field building work, realities of securing model weights from outside labs, and areas that he’s most excited for people to work on in future. | Madison A-C | Securing AI Infrastructure | |
3:30pm - 4:00pm | Beyond CTFs: Evaluating AI Cyber capabilities in Real-World Environments | This session introduces an innovative approach to assessing AI cyber capabilities through virtualised infrastructure rather than traditional CTF challenges. Current evaluations often test isolated skills using problems with published solutions, failing to measure real-world operational abilities. The UK AI Security Institute's open-source Proxmox integration for the Inspect framework enables testing against authentic cyber environments, providing more accurate assessment of AI systems' genuine problem-solving capabilities in operational contexts. | Grand Ballroom 4-6 | Offensive Security / Evals | |
3:30pm - 4:00pm | Securing History's Greatest Infrastructure Buildout | The gigawatt scale AGI data centers underway will be perhaps the most critical locations on earth. But how should we think about security in the domain of megaprojects?This talk will walk through a full-stack, interactive demo of the attack surface at one of the world's largest cluster build-outs, based on publicly available, "open source intelligence" (OSINT).It will combine sources like satellite footage, amateur drone recordings, and utility diagrams; as well as quantitative simulations of the network topology of clusters of tens of thousands of Nvidia GB200s --- with an aim of understanding end-to-end attack chains across the cyber and physical domains, and how to defend against them. | Madison A-C | Securing AI Infrastructure |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
4:00pm - 4:30pm | Break & Demos | Ballroom Foyer | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
4:30pm - 5:00pm | Using Zero-Knowledge Proofs for Weight Protection | Recent breakthroughs in zero-knowledge proof systems pave the way for a new security paradigm, where the computation is cryptographically verified. AI workloads possess certain properties that make them ideal candidates for this new technology. This talk shortly unpacks why AI is such a good candidate for verifiable compute and what the possible applications for it are in AI security, including preventing sabotage and theft of model weights. | Grand Ballroom 4-6 | Securing AI Infrastructure | |
4:30pm - 5:30pm | Workshop: Equipping the AI Hardware Stack for Verification - Workshopping Implementation Ideas | There’s often thought to be an irreconcilable tension between AI diffusion and security: broad access raises the risk of misuse or loss of control, while strict limitations can hinder innovation and reinforce power imbalances. Embedding privacy-preserving verification capabilities into the AI hardware stack would allow us to escape that tradeoff. This session explores how to make that possible. After a brief overview of the problem space and concrete use cases, we’ll break into small groups to workshop implementation ideas. We will consider different stakeholders (e.g. AI developers, auditors, end users), different form factors (e.g. on-chip, off-chip, software-only), and technical components (e.g. guarantee processors, analogous sensors, secure update mechanisms, anti-tamper enclosures). | Harper A-B | Hardware Enabled Verification | |
4:30pm - 5:30pm | Workshop: Deep Dive on Threats from Using AI Agents for AI R&D | Using AI agents for AI R&D poses a number of unique threats compared to other applications. Most importantly, these AIs have access to many affordances that developers are very wary about granting to unvetted human employees: access to algorithmic secrets, sensitive model weights, and massive quantities of compute. In this session, we'll discuss the dynamics here, including a detailed discussion of which threat models seem particularly hard to mitigate using traditional computer security techniques. | Harper C-D | AI for defensive security | |
4:30pm - 5:00pm | Massively Accelerating Software Verification | Madison A-C | AI for defensive security | ||
5:00pm - 5:30pm | Fireside Chat: Report on “Achieving A Secure AI Agent Ecosystem” | Grand Ballroom 4-6 | Securing AI Infrastructure | ||
5:00pm - 5:30pm | Mining Docker Hub for 0-days and Offsec Benchmarks | CTF challenges have become the backbone of cybersecurity evaluations for AI. However, they tend to be unrealistic in various ways (e.g., smaller than real apps, contain hints to the solution, etc.). We describe an alternative: we scrape Docker Hub for appropriate applications (web apps, in our case), automatically set them up using an LLM agent & plant CTF-style flags, and then attack them with our offsec agent to find 0-day vulnerabilities. | Madison A-C | Offensive Security / Evals |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
5:30pm - 6:00pm | Break & Demos | Ballroom Foyer | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
6:00pm - 6:30pm | Frontier Models for Cybersecurity | In this talk we will give an overview of the latest developments in AI for cybersecurity. Over the past decade, there has been a transformation in the world of cybersecurity due to scale of data. In this coming decade, cybersecurity will be transformed through adoption of AI. In this talk we will discuss some of the challenges the industry is facing in adopting AI and argue for open innovation in AI for cybersecurity. | Grand Ballroom 4-6 | AI for defensive security | |
6:00pm - 6:30pm | How and Why to Build AI Tools for AGI Security | Leveraging AI will be critical for securing AGI model weights and algorithmic secrets. Yet, despite a boom in AI-powered cybersecurity, very few projects are applying AI to the most important AGI security challenges. This talk argues for more work in this area, and outlines two strategies for builders: • Rethinking security from first principles for a world with abundant intelligence, rather than merely automating existing processes. • Accelerating the development of key defensive AI capabilities. | Madison A-C | AI for defensive security | |
6:30pm - 7:15pm | Closing Plenary | Grand Ballroom 4-6 | General |
Time | Session Name | Presenters | Session Description | Room | Track |
---|---|---|---|---|---|
7:15pm - 11:00pm | Buffet Dinner, Drinks, and Networking (Co-sponsored by CoSAI) | Grand Ballroom 1-3 | General | ||
7:30pm - 8:30pm | Demo Fair | Ballroom Foyer | General |
FAQs
Why are we running this event?
Who is this event for?
Who attended last time?
Speakers

Program Manager @ DARPA

AI Security Lead @ Meta

Technical Specialist @ ARIA

CEO @ Redwood Research


VP of AI and Security @ Cisco Foundation AI
.png&w=1920&q=90)
.png&w=1920&q=90)
Technology and Security Policy Fellow @ RAND

Co-founder and CTO @ Dreadnode

Al Researcher @ XBOW

Project Manager @ AI Futures

Cybersecurity Researcher @ UK AISI

Member of Technical Staff @ UK AISI

SVP and CISO @ Oracle Cloud Security
Executive Director, AI and Advanced Computing @ Schmidt Sciences

CEO @ RemoteThreat, DE - AI & Offensive Security @ IBM

CTO @ HelmGuard AI

Cofounder and CEO @ DeepResponse

Co-Founder @ Theorem Labs

CEO @ Attestable


Past participants included leaders from:
Organized by Harrison Gietz, Nandini Shiralkar, Caleb Parikh and Eli Parkes. Co-run by the AI Risk Mitigation Fund and ERA.
Questions? Contact harrison@erafellowship.org.