Vegas AI Security Forum ‘25

9:00am - 10:00am

10:00am - 10:15am

10:15am - 10:35am

Sella will share highlights on how the field of frontier AI security has evolved in the past year - including in industry, government, civil society, and more.

10:40am - 11:00am

A retroactive look at the Anthropic ASL-3 attainment and challenges.

11:05am - 11:25am

To fully harness the potential of AI automation and maximize innovation in novel AI application areas, we need AI colleagues and personal assistants capable of making sensitive decisions in untrusted environments that may contain adversarial data. In my talk I’ll argue that while there is no universal, risk-free technical solution to this challenge, achieving agent security is not fundamentally different from previous technical security challenges, which similarly lacked risk-free solutions and required a multi-disciplinary and evolving set of strategies to achieve an acceptable—if not perfect—balance between security and utility. To flesh this out, I’ll draw parallels to how the security community has historically managed issues such as malware, software security, and ransomware protection. For years, the industry sought universal solutions for such problems, but success came from a continuous, multi-disciplinary, dialectical, "all of the above" approach that reduced risk to an acceptable, though not perfect, steady state.

11:30am - 11:50am

DARPA and ARPA-H are on a mission to advance AI-driven cybersecurity and usher in a future where we can patch vulnerabilities before they can be exploited. AI Cyber Challenge Program Manager Andrew Carney will deliver the latest news about the competition and discuss how the program is driving the innovation of responsible AI systems designed to address some of our most important digital issues today: the security of critical infrastructure and software supply chains.

12:00pm - 1:30pm

1:30pm - 2:30pm

In this hands-on workshop, you'll explore Inspect AI's capabilities for streamlining agentic evaluation development and build your own eval to run locally with Docker. Before you arrive: * Install Docker on your laptop or virtual machine * Test the installation: `docker run hello-world`

1:30pm - 2:30pm

Verifying a compute cluster's workloads and results could advance multiple goals, including: preventing model exfiltration, detecting rogue deployments, and verifying international agreements on AI. This session will give a technical overview of the state of the field and open challenges, based on recent research (https://www.arxiv.org/abs/2507.15916), followed by Q&A and brainstorming concrete options for getting involved. The session will focus on software and ML problems.

1:30pm - 2:00pm

From prompt exploits to agentic behaviour, how defenders must reshape assumptions, frameworks, and collaboration to meet AI-native threats head-on.

2:00pm - 2:30pm

Can supply chains be trusted? This talk highlights how integrity can quietly fail from design to decommission, and why that matters for AI security, compliance, and export controls. Learn what you can implement today and what you can work on to advance the state of the art.

2:00pm - 2:30pm

Initially called out in the Biden Executive Order, the capabilities of models to execute offensive security tasks has been hotly debated. It is now 2025, and several examples of models not just performing these tasks, but excelling at them have been shown. This talk will discuss our findings across reversing, multi-step network attacks, bug bounty, threat intel, and more. This technology is multi-use at its core, and offers uplift to all sides.

2:30pm - 3:00pm

3:00pm - 4:00pm

Everyone wants to build cyber agents, but they don’t have the building blocks to go from PoC to production. In this workshop attendees will learn how to use our open-source frameworks to deploy agents on real world offensive tasks. Attendee requirements: Bring your laptop and make sure you have python installed.

3:00pm - 4:00pm

The impact of superhuman AI over the next decade may be enormous, exceeding that of the Industrial Revolution. In this Tabletop exercise, we will explore how Security measures may be critical for AI progress. We'll simulate decisions and developments for labs, governments and state actors and get a glimpse of how impactful they might be.

3:00pm - 3:30pm

AI developers will need to handle the possibility that their AI agents are conspiring against them. This problem has some fundamental structural differences from the most important security problems today, and will require creative and novel solutions. In this talk I'll explain how I think this problem compares to other security settings, and describe our prospects for solving it.

3:00pm - 3:30pm

Dan co-wrote the securing model weights report (which has influenced the work of several speakers at this forum) and founded Pattern Labs which (amongst other things) aims to radically improve the security posture of AI companies. Dan and Caleb will chat about his field building work, realities of securing model weights from outside labs, and areas that he’s most excited for people to work on in future.

3:30pm - 4:00pm

This session introduces an innovative approach to assessing AI cyber capabilities through virtualised infrastructure rather than traditional CTF challenges. Current evaluations often test isolated skills using problems with published solutions, failing to measure real-world operational abilities. The UK AI Security Institute's open-source Proxmox integration for the Inspect framework enables testing against authentic cyber environments, providing more accurate assessment of AI systems' genuine problem-solving capabilities in operational contexts.

3:30pm - 4:00pm

The gigawatt scale AGI data centers underway will be perhaps the most critical locations on earth. But how should we think about security in the domain of megaprojects?This talk will walk through a full-stack, interactive demo of the attack surface at one of the world's largest cluster build-outs, based on publicly available, "open source intelligence" (OSINT).It will combine sources like satellite footage, amateur drone recordings, and utility diagrams; as well as quantitative simulations of the network topology of clusters of tens of thousands of Nvidia GB200s --- with an aim of understanding end-to-end attack chains across the cyber and physical domains, and how to defend against them.

4:00pm - 4:30pm

4:30pm - 5:00pm

Recent breakthroughs in zero-knowledge proof systems pave the way for a new security paradigm, where the computation is cryptographically verified. AI workloads possess certain properties that make them ideal candidates for this new technology. This talk shortly unpacks why AI is such a good candidate for verifiable compute and what the possible applications for it are in AI security, including preventing sabotage and theft of model weights.

4:30pm - 5:30pm

There’s often thought to be an irreconcilable tension between AI diffusion and security: broad access raises the risk of misuse or loss of control, while strict limitations can hinder innovation and reinforce power imbalances. Embedding privacy-preserving verification capabilities into the AI hardware stack would allow us to escape that tradeoff. This session explores how to make that possible. After a brief overview of the problem space and concrete use cases, we’ll break into small groups to workshop implementation ideas. We will consider different stakeholders (e.g. AI developers, auditors, end users), different form factors (e.g. on-chip, off-chip, software-only), and technical components (e.g. guarantee processors, analogous sensors, secure update mechanisms, anti-tamper enclosures).

4:30pm - 5:30pm

Using AI agents for AI R&D poses a number of unique threats compared to other applications. Most importantly, these AIs have access to many affordances that developers are very wary about granting to unvetted human employees: access to algorithmic secrets, sensitive model weights, and massive quantities of compute. In this session, we'll discuss the dynamics here, including a detailed discussion of which threat models seem particularly hard to mitigate using traditional computer security techniques.

4:30pm - 5:00pm

5:00pm - 5:30pm

5:00pm - 5:30pm

CTF challenges have become the backbone of cybersecurity evaluations for AI. However, they tend to be unrealistic in various ways (e.g., smaller than real apps, contain hints to the solution, etc.). We describe an alternative: we scrape Docker Hub for appropriate applications (web apps, in our case), automatically set them up using an LLM agent & plant CTF-style flags, and then attack them with our offsec agent to find 0-day vulnerabilities.

5:30pm - 6:00pm

6:00pm - 6:30pm

In this talk we will give an overview of the latest developments in AI for cybersecurity. Over the past decade, there has been a transformation in the world of cybersecurity due to scale of data. In this coming decade, cybersecurity will be transformed through adoption of AI. In this talk we will discuss some of the challenges the industry is facing in adopting AI and argue for open innovation in AI for cybersecurity.

6:00pm - 6:30pm

Leveraging AI will be critical for securing AGI model weights and algorithmic secrets. Yet, despite a boom in AI-powered cybersecurity, very few projects are applying AI to the most important AGI security challenges. This talk argues for more work in this area, and outlines two strategies for builders: • Rethinking security from first principles for a world with abundant intelligence, rather than merely automating existing processes. • Accelerating the development of key defensive AI capabilities.

6:30pm - 7:15pm

7:15pm - 11:00pm

7:30pm - 8:30pm