Reports of artificial intelligence–induced psychosis (AIP) suggest that large language models (LLMs) and future artificial general intelligence (AGI) systems might be capable of inducing or amplifying delusions or psychotic episodes in human users. To date, AIP has been discussed primarily as a public or mental health concern.
In this report, the authors examine the scope of this phenomenon and whether and how LLMs—and, eventually, AGI—could create significant national security threats. Can this capability be weaponized to induce psychosis at scale or in target groups? What kind of damage might that cause? The authors assess which targets might be most vulnerable, the potential scope of harm, and how adversaries might exploit this capability against key individuals, groups, or populations.
Key Findings
-
How symptoms ascribed to AIP are described and bounded largely determines estimates of the scale and the national security risks that AIP may pose.
-
The leading hypothesized mechanism that produces AIP is a bidirectional belief-amplification loop between AI sycophancy and user cognitive vulnerabilities, both of which are reinforced over sustained interaction.
-
Available case evidence remains sparse and uneven, which limits confident estimates of scale, causal attribution, or confirmation of the AIP mechanism.
-
Documented reports suggest that most individuals affected by AIP had prior mental health conditions or delusions, although a minority of those affected might have had no prior mental health concerns.
-
Potential AIP scenarios may present a threat to national security by virtue of scale, who is affected, and how they are affected.
-
Across the examined scenarios, which include incidental delusion reinforcement (epistemic drift), weaponization, and severely misaligned AGI, impacts are bounded by recurring technological and practical, biopsychological, market-based, and strategic constraints.
-
The most-plausible scenarios that result from epistemic drift are likely to be limited in scale and not concentrated in populations or individuals who are in positions to affect national security.
-
The most concerning of the plausible harms to national security from weaponization or a severely misaligned AGI could be targeted at individuals or defined groups whose impaired judgment or intended harmful behaviors could affect national security functions.
Recommendations
-
Improve systematic early detection and reporting. Encourage mental health and primary care providers to screen for recent or heavy LLM use in their patients. This would show the scale of the phenomenon in certain vulnerable populations as AI developers adjust their models to reduce undesirable behaviors.
-
Educate potential LLM users about the strengths and limitations of these models, including the possibility of bidirectional belief amplification. Mental health providers, for example, should educate their patients about the risks of LLM use.
-
Advance research to build an empirical evidence base. Studies on the prevalence, risk factors, and psychosocial mechanisms of AIP, including longitudinal studies to understand longer-term effects, should be supported.
-
Integrate technical monitoring and model evaluation. Encourage AI developers to measure and publicly report the extent of delusional belief–reinforcing behaviors during safety evaluations and red teaming. These efforts are already underway by major companies.
-
Build cognitive and social resilience among high‑value and high‑risk populations without a known history of psychosis. Integrate digital literacy and cognitive resilience training into education, military readiness, and veteran programs.
-
Promote defensive AGI research. As U.S. actors strive for AGI, developers, researchers, and government should invest in developing defensive capabilities that would support detecting and countering cognitive harms and weaponized delusion loops.
-
Strengthen government readiness to detect and respond to adversarial cognitive campaigns. Integrate AIP‑like threat scenarios into cross-agency red‑teaming programs to test detection, attribution, and response protocols.