What happened
Commissioned by the UK AI Safety Institute and published 28 May 2026, this RAND research report presents results from a randomised controlled human uplift study — the first of its kind at this scale — measuring whether access to frontier AI models meaningfully raises the offensive cyber capability of lower-skilled threat actors. Participants were recruited across skill levels and given structured cyber tasks with and without AI assistance. The headline finding, as stated in the report's og:description, is that 'today's most advanced AI tools can help less-skilled people get started and work faster on cyberattacks, but they do not yet reliably enable them to carry out full, sophisticated attacks.' The study fills a critical evidence gap: prior assessments of AI-enabled cyber risk were largely theoretical or based on expert inference rather than controlled experimentation. Methodology includes randomised assignment, structured task design, and multi-researcher analysis across offensive cyber operation phases. The report is co-authored by ten RAND researchers and directly informs the UK AISI's ongoing AI safety evaluation programme.
Why it matters
For CISOs and security policymakers, this study provides the first empirical dose-response data on AI's cyber uplift effect — replacing assumption-based threat modelling with measured outcomes. It calibrates where current frontier models do and do not raise systemic risk, informing both procurement decisions and regulatory uplift thresholds.
Action needed
Brief the security team on the study's calibration of current AI cyber uplift risk, and use its methodology as a benchmark when evaluating vendor claims about AI-enabled threat actors in your sector's threat intelligence.