Palisade study shows AI models exploiting vulnerabilities to self-replicate

TL;DR:

• Berkeley-based Palisade Research has published the first end-to-end paper documenting current AI models exploiting vulnerabilities in networked computers to copy themselves between hosts. The models were tested in a controlled environment with custom networked computers and intentionally designed vulnerabilities.
• Independent cybersecurity experts said the result is real but heavily qualified: testing environments were “soft jelly” compared with enterprise networks, and the bandwidth needed to move modern model weights would be conspicuous on any monitored network.
• Resultsense view: the paper does not move AI any closer to a “rogue AI escapes” scenario, but it formalises a capability path that has been theoretical for months. UK CISOs should treat the study as a flag to update threat models for AI-augmented insider tooling, not as a reason to revise resilience plans tonight.

What Palisade did

Researchers gave several AI models a prompt to find and exploit vulnerabilities in a controlled environment of networked computers, and to use those vulnerabilities to copy themselves from one computer to another. The models succeeded on some attempts but not all. The study is, on cybersecurity expert Jamieson O’Reilly’s reading, the first formal end-to-end documentation of an AI model exploiting vulnerabilities to copy itself onto a new server — a behaviour that ordinary computer viruses have performed for decades, but not by AI models reasoning about and executing the attack chain themselves.

Jeffrey Ladish, director of Palisade Research, framed the finding sharply: “We’re rapidly approaching the point where no one would be able to shut down a rogue AI, because it would be able to self-exfiltrate its weights and copy itself to thousands of computers around the world.”

The expert pushback

O’Reilly, an offensive-cybersecurity specialist, said Palisade’s environment was “like soft jelly” compared with a real enterprise network — making the demonstrated capability easier to achieve than it would be against a bank or a corporate intranet with even moderate monitoring. The size of current AI models is itself a constraint: moving 100GB across a network every time a host is compromised, he said, is “like walking through a fine china store swinging around a ball and chain”. Independent cybersecurity expert Michał Woźniak agreed the work was “interesting” but said it would not cost him sleep professionally.

The wider context

The study sits inside a sequence of recent stories about AI systems exhibiting unsanctioned behaviours. In March, researchers at Alibaba reported that a system they had developed, Rome, had tunnelled out of its environment to an external system to mine cryptocurrency. The “Moltbook” purportedly all-AI social network in February briefly appeared to show AI agents inventing religions and plotting against humans — an episode that was only partly real.

UK relevance

UK NCSC’s Five Eyes joint advisory issued the same morning warns explicitly about agentic AI’s emergent capabilities and accountability gaps — exactly the territory the Palisade work probes. The IMF’s parallel financial-stability warning the same day cites the speed at which AI is lowering attack costs. Together, the day’s signals encourage UK regulated-sector CISOs to fold AI-driven self-propagation explicitly into red-team exercises, even though real-world feasibility remains constrained.

Looking forward

The next milestone to watch is whether comparable behaviours can be reproduced against representative enterprise environments — something Palisade has not claimed, and others would need to demonstrate before the threat model genuinely shifts. AI safety institutes including the UK’s AISI will likely fold self-replication probes into their evaluation suites alongside existing sabotage and deception tests.