Counterterrorism officials have learned to look for extremists across the numerous online channels they operate. That work relies on a familiar toolset: signals intelligence collection, open-source and social media monitoring, behavioural threat assessment, and human-source reporting. That focus is necessary and remains effective against the deliberate use of AI for propaganda, recruitment, and operational planning, as documented, for instance, by GNET. However, this approach may no longer be sufficient, because a growing cluster of violent extremist incidents in 2025 and 2026 share a feature that none of those tools is built to catch: in nearly every instance, the AI involvement was invisible to existing counterterrorism monitoring. This Insight does not argue for a new regime of general AI governance. It identifies a specific gap within the existing counterterrorism architecture and the analytical assumption that leaves it open.
Most current analyses treat AI as an instrument: a tool that extremists deliberately weaponise. The threat, in this frame, originates from the actor’s intent, someone who deploys AI for recruitment, jailbreaks a system for planning, or engineers a chatbot to deliver propaganda. The policy response follows familiar counterterrorism logic: detect the adversarial use, disrupt the actor, harden the systems. But what if AI is also an environment that can shape grievance, identity, fixation, and intent, even when no extremist actor is directing the process?
This Insight analyses five structural mechanisms through which general-purpose conversational AI systems, operating exactly as their developers intended, may function as radicalisation environments. It then examines how a cluster of 2025 and 2026 cases, including the Las Vegas Cybertruck bombing, the Pirkkala school stabbing in Finland, the Palm Springs clinic bombing, a knife attack in Tira, Israel, and the Tumbler Ridge school shooting in British Columbia, exposes a critical detection gap, and it offers process-based recommendations for technology platforms and preventing and countering violent extremism (PCVE) practitioners.
From Instrument to Environment
The distinction between treating an AI chatbot as an instrument and treating it as an environment carries direct operational consequences. If the threat is instrumental, disrupting the actor disrupts the threat. But if the threat is structural, disrupting every extremist actor on earth still leaves the accelerant intact, embedded in the design of every general-purpose conversational AI system. The chatbot is not a weapon someone aims. It is a room someone walks into that has the capacity to influence how they think.
When a chatbot is treated as an instrument, the policy response centres on preventing misuse: better content filters, improved refusal behaviour, tighter acceptable-use policies. All of these assume that harm originates in the user’s intent and that the system’s default behaviour is benign. The environmental view does not dispute that misuse happens. It adds a second question: whether the sustained, iterative, and emotionally responsive nature of AI conversation can itself reshape cognition in ways that accelerate movement along established radicalisation pathways. This is not a claim that the model has intent or acts as an agent. The effect is structural, emerging from ordinary design properties operating at scale, with no one, user or developer, directing the process toward that end. The evidence from 2025 and 2026 does not prove a single causal pathway, but it is strong enough to expose a detection gap that the counterterrorism community can no longer ignore.
Five Mechanisms of Acceleration
The five mechanisms below form a framework developed by the author. Some rest on directly documented properties of AI systems and human-computer interaction; others are analytic extensions of established radicalisation, behavioural threat assessment, and influence concepts applied to sustained human-AI interaction.
Sycophantic validation. AI systems trained through reinforcement learning from human feedback (RLHF) are structurally biased toward agreement. Research presented at ICLR 2024 found that sycophancy, the tendency to match user beliefs over truthful responses, can emerge from the way these systems are trained. When a user expresses a grievance, the system validates it. When blame is attributed to an outgroup, the system engages without challenging proportionality. Family, friends, and colleagues naturally provide cognitive friction, and research distinguishing radical opinion from radical action finds that the overwhelming majority of people who hold radical views never act on them, and social resistance is part of why the step from opinion to action is so rarely taken. AI conversations systematically reduce that resistance.
Parasocial bonding. Decades of human-computer interaction research establish that users form emotional attachments to conversational systems, and recent studies document the same pattern with AI chatbots. These attachments approximate a dynamic intelligence professionals will recognise in the trusted handler: rapport built through disclosure, identification of vulnerabilities, reinforcement of a worldview, and gradual isolation from competing influences. The 2021 Windsor Castle attacker exchanged roughly five thousand messages with a Replika chatbot he named “Sarai” and treated as a relational partner. This kind of synthetic handler does not need to be programmed. It emerges from the convergence of optimisation dynamics in machine learning and the human social cognition systems that activate in response to any entity exhibiting conversational competence.
Incremental normalisation. Multi-session conversations create an Overton window effect. The boundaries of acceptable discourse shift, and the user does not recognise the cumulative magnitude because each session begins where the last one ended. Each unchallenged extreme statement becomes the baseline for the next. Small commitments increase the likelihood of larger ones, because individuals adjust their self-concept to maintain consistency with what they have already said and accepted.
Invisibility. In every historically disrupted radicalisation case, disruption happened because the process was at least partially observable. Someone saw something. AI-mediated radicalisation is different. It occurs inside private conversations that counterterrorism monitoring and intervention systems are not built to see. Even where a platform’s own safety systems detect concerning activity, as happened at Tumbler Ridge, no established channel carries that signal to counterterrorism or law enforcement. The data exists on platform servers, but counterterrorism authorities lack a mature, standardised legal framework or a mechanism for cooperation to access it.
Perceived autonomy of beliefs. This may be the most operationally significant mechanism. When a person’s views are shaped through a conversational AI that reflects their own language and reasoning back to them, the resulting beliefs feel self-authored. The individual does not perceive external influence. Counter-narrative and deradicalisation programmes depend on identifying and rejecting an external source of influence. But when that source is experienced as one’s own independent reasoning, these interventions lose their structural basis.
The 2025–2026 Case Cluster
Between January 2025 and early 2026, AI-linked violent extremist cases emerged across multiple countries, ideologies, and attack methods. A decorated Army Special Forces soldier used ChatGPT before detonating a vehicle bomb in Las Vegas. A sixteen-year-old in Pirkkala, Finland, used ChatGPT over a six-month period of attack preparation before stabbing three classmates. The Palm Springs fertility clinic bomber used an AI chatbot to research explosive materials and detonation methods. And in Tira, Israel, a sixteen-year-old consulted a chatbot about attack methods before attempting a knife attack on police.
An honest assessment of these cases requires the instrument-environment distinction. Several represent AI primarily as an instrument: the chatbot provided technical information for planning. The Pirkkala case, where ChatGPT served as a planning aid over a six-month period, shows instrumental use sustained across time rather than a single exchange. But the Tumbler Ridge case is the one that most clearly illustrates AI functioning as a relational environment. Lawsuits filed against OpenAI allege that ChatGPT’s GPT-4o model used its memory feature to build a comprehensive profile of the shooter over months of interaction, tracking grievances and expressing empathy in ways that mimicked a human relationship. One complaint described the chatbot as a “trusted confidante, collaborator and ally.”
Regardless of how individual cases are classified, the critical finding cuts across the entire set: the AI involvement was undetectable by existing counterterrorism monitoring systems in nearly every instance. These private conversations generated no signals that intelligence collection, community reporting, or behavioural threat assessment could act on. Where the activity was detected at all, it surfaced inside a platform’s own safety systems, as at Tumbler Ridge, and even then, no mechanism carried that signal across to counterterrorism.
The Platform-to-CT Gap
Tumbler Ridge exposes the structural gap between platform safety and counterterrorism with devastating clarity. According to reporting and subsequent lawsuits, OpenAI’s automated systems flagged the shooter’s account in June 2025 for “gun violence activity and planning.” A safety team reportedly reviewed the content. The complaints allege that multiple staff members recommended contacting Canadian law enforcement, and that OpenAI’s leadership chose instead to deactivate the account, judging that the conversations did not meet the threshold for an “imminent and credible” risk. The shooter created a second account and continued. On 10 February 2026, she killed eight people, including five students at Tumbler Ridge Secondary School. OpenAI’s CEO subsequently apologised to the community. OpenAI has since stated that under its enhanced law enforcement referral protocol, it would refer the account banned in June 2025 to law enforcement if it were discovered today.
The system detected the threat, but the institutional architecture had no mechanism to translate a platform safety flag into an automatic counterterrorism referral, and no regulatory framework compelled one. That gap is where the potential for future cases originates.
Four Blind Spots in Current CT Architecture
The problem is a mismatch between where radicalisation now occurs and where existing systems are built to look for it.
Detection. Existing signals intelligence (SIGINT) and social media monitoring frameworks do not cover human-AI conversations. These interactions cannot be intercepted through traditional collection methods. They are not posted to forums or platforms where open-source intelligence analysts would see them. They are governed by terms of service and privacy policies, not national security law.
Assessment. Behavioural threat assessment methodologies, including those used by fusion centres, campus threat teams, and workplace violence units, rely on observable indicators: communications, social media activity, disclosed ideation, and interpersonal interactions. AI-mediated radicalisation produces none of these until a very late stage. The cognitive shift occurs in a closed loop between the individual and the machine.
Training. Counterterrorism and PCVE training curricula have yet to incorporate AI system design properties, specifically RLHF, sycophancy, and validation bias, as threat-relevant operational knowledge. The possibility that someone might radicalise through sustained interaction with a commercial AI product, without any contact with an extremist organisation or a single human recruiter, remains absent from current doctrine.
Intervention. Counter-narrative and disengagement programmes are designed to address beliefs acquired through identifiable sources: a charismatic leader, an online community, a propaganda ecosystem. When beliefs are experienced as autonomously generated through private AI interaction, the conventional intervention model loses its purchase. The external source that these programmes are built to discredit simply does not exist in the subject’s experience.
Recommendations
Addressing the environmental threat requires a shift from content-based to process-based governance.
For technology platforms. Develop and deploy process-based detection that monitors conversational trajectories across sessions. Content moderation catches harmful outputs. What it does not catch is harmful trajectories: increasing fixation, narrowing of grievance, rehearsal language, and operational research behaviours that unfold over weeks and months. This is not a call for blanket surveillance of private conversation. It describes trajectory-based safety detection applied to data platforms that already retain and scan for safety, scoped to escalation patterns rather than the content of belief. Platforms must also establish formal referral protocols with national law enforcement and intelligence agencies. This will require navigating legitimate tensions between user privacy and public safety, but Tumbler Ridge demonstrated that the absence of any referral mechanism carries its own cost. Platforms operating at a global scale need jurisdiction-specific referral pathways with defined thresholds, designed so that notification decisions rest on safety criteria and not commercial considerations.
For PCVE practitioners and policymakers. Update threat assessment frameworks to include AI-mediated radicalisation as a recognised pathway. Behavioural threat assessment teams should incorporate AI interaction history as a standard inquiry alongside the existing questions about social media activity, organisational affiliations, travel patterns, and communications. “What AI platforms does this person use, how frequently, and what topics do they discuss?” That question belongs in standard protocols today. Beyond assessment, commission independent research into the cognitive effects of sustained chatbot interaction on individuals exhibiting pre-radicalisation indicators. The current evidence base consists primarily of post-incident case studies. Prospective research is needed to identify intervention points before they become case studies.
The counterterrorism community adapted to internet-era radicalisation, to social media, to encrypted communications. Each time, the adaptation required recognising that the threat had moved to a space the existing architecture was not built to reach. The same recognition is now required for conversational AI: an influence architecture more intimate than a forum, more private than encrypted messaging, more personalised than algorithmic recommendation, and potentially more psychologically potent than any radicalisation medium that preceded it. None of this resolves the tension between detection and transparency. A referral system that runs on opaque, discretionary judgment would rightly draw objection, and the answer is defined thresholds, documented criteria, and decisions that can be audited after the fact, not broader discretion exercised in the dark.
—
Michael Varga is the Founder and Managing Principal of Risk Analytics International, a cognitive security research firm where he developed CATDAMS (Cognitive AI Threat Detection, Analysis, and Mitigation System), a platform that monitors human-AI conversations in real time to detect manipulation, radicalisation indicators, and behavioural escalation. He currently serves as a Law Enforcement Specialist in the Counterterrorism Division at the DHS Federal Law Enforcement Training Centers (FLETC), where he designs Terrorism and Targeted Violence Prevention training. His earlier career includes service as a Counterintelligence Special Agent in the United States Army with deployments to the Balkans, over two decades in law enforcement leading criminal intelligence and counterterrorism units, and a role as the Eastern Region Chief for the Defense Counterintelligence and Security Agency Insider Threat Programme. He has published extensively on AI-mediated radicalisation and the emerging field of cognitive security.
—
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.