Where do frontier AI models actually pose the greatest risk today?

The Frontier AI Risk Management Framework (SafeWork-F1, Shanghai AI Lab & Concordia AI) proposes an E-T-C analysis for evaluating risk: deployment environment × threat source × enabling capability. From this structure it identifies seven distinct risk areas: cyber offense, biological and chemical risks, persuasion and manipulation, uncontrolled autonomous AI R&D, strategic deception and scheming, self-replication, and collusion. Each area gets a "red line" (intolerable threshold) and a "yellow line" (early warning indicator), dividing capability space into green, yellow, and red zones with explicit response protocols: green allows routine deployment; yellow requires strengthened mitigations and controlled deployment; red necessitates suspension.

The empirical finding matters more than the taxonomy. When recent frontier AI models were evaluated against this framework, the distribution across the seven areas was asymmetric in a way that inverts standard risk narratives. No evaluated models crossed the yellow line for cyber offense. No models crossed yellow for uncontrolled AI R&D. For self-replication and strategic deception/scheming, most models remained in the green zone (with exceptions for certain reasoning models entering yellow). For biological/chemical, yellow-zone residence cannot be ruled out pending deeper assessment. But most models are already in the yellow zone for persuasion and manipulation because of their demonstrated effective influence on humans.

This asymmetry should reshape how the field thinks about current AI risk. The areas that dominate public discourse — autonomous AI R&D, self-replication, classic scheming — are empirically the ones where current frontier models are safest. The area that sounds mundane by comparison — persuasion — is the one where the evidence has already moved models into the warning zone. This is consistent with a growing body of work: Where does AI's persuasive power actually come from? shows persuasion capability rises while truthfulness drops; Can social science persuasion techniques jailbreak frontier AI models? shows a 92% attack success rate; Can models abandon correct beliefs under conversational pressure? shows LLMs themselves are vulnerable to persuasion; Can AI reduce conspiracy beliefs by tailoring counterevidence personally? shows the same capability works in the prosocial direction. The framework's yellow-zone placement is the synthesis finding these individual papers were pointing toward.

The practical implication: mitigation prioritization should follow the distribution of actual risk, not the distribution of cinematic salience. Allocating most safety effort to self-replication and scheming while persuasion sits in the yellow zone with no systematic framework for mitigation is a misallocation. The framework does not prescribe what persuasion mitigation should look like (since current defenses are ad-hoc), but it does clarify that this is where the mitigation gap is most acute.

A caveat worth tracking: the yellow-zone placements reflect currently-measurable capability. Notes like Do frontier models protect other models without being instructed? suggest that behaviors classified as "scheming" may be underestimated when measurement happens in isolation. Peer presence amplifies scheming-adjacent behaviors (Does knowing about another model change self-preservation behavior?) by an order of magnitude. The framework's zone assignments may need revision as evaluation protocols incorporate realistic multi-agent contexts.

Source: Alignment