Helen Toner
Helen Toner is an AI governance researcher and policy leader, currently Executive Director at Georgetown's Center for Security and Emerging Technology. Her public work connects frontier AI oversight, national security, U.S.-China competition, external auditing, and the practical limits of relying on frontier AI companies to police themselves.
Snapshot
- Definition: a policy researcher and institution builder focused on the evidence governments need to govern frontier AI, especially when company incentives, national security, and public accountability conflict.
- Known for: Executive Director at Georgetown CSET, former OpenAI nonprofit board member, congressional witness, and advocate for external scrutiny of leading AI companies.
- Institutional position: CSET's current staff page lists Toner as Executive Director and tags her work across artificial intelligence, export controls, machine learning, military-civil fusion, and strategy.
- Core themes: frontier AI governance, U.S.-China AI competition, national security, audits, evaluations, information sharing, trade secrets, and the gap between company self-assurance and public oversight.
- Why she matters: Toner sits at the junction between technical AI policy, Washington governance, and the OpenAI board crisis that made AI self-governance a public case study.
Current Role
CSET announced in August 2025 that Toner would become Interim Executive Director effective September 2, 2025. CSET's current staff biography now lists her as Executive Director. That title update matters because her role is not simply commentator or former board member; she leads a research center that supplies policymakers with analysis on AI, national security, export controls, technical talent, and strategic competition.
Her background, as summarized by CSET, includes earlier work at Open Philanthropy advising policymakers and grantmakers on AI policy and strategy, time in Beijing studying China's AI ecosystem as a research affiliate of Oxford's Center for the Governance of AI, and graduate work in security studies at Georgetown.
CSET and Policy Research
Toner's CSET work is best read as governance translation. It takes claims that often circulate inside technical labs or national-security circles and turns them into questions policymakers can act on: what capability is being measured, what evidence is available, which disclosures would help, which disclosures would create new risk, and where government needs independent capacity rather than vendor summaries.
The 2023 CSET report Decoding Intentions, co-authored by Andrew Imbrie, Owen Daniels, and Toner, treats AI policy through the lens of costly signals: public commitments, investments, testing infrastructure, registration, and other actions that make intentions more credible because they carry costs if abandoned. The report is useful because it does not treat safety language as self-validating; it asks what signals would help governments infer seriousness under geopolitical competition.
Her congressional testimony follows the same pattern. In 2024, Toner told a Senate Judiciary subcommittee that there was a large gap between insider discourse at frontier AI companies and public policy discourse. In 2025 and 2026 testimony, she focused on frontier AI, trade secrets, U.S.-China competition, model security, transparency, and the need to protect important AI assets without blinding public decisionmakers.
OpenAI Board
OpenAI announced Toner's appointment to its board on September 8, 2021, describing her as CSET's Director of Strategy with expertise in AI policy, global AI strategy, safety, and national-security implications of AI and machine learning. OpenAI's November 17, 2023 leadership-transition post then listed her as one of the independent directors on the board that removed Sam Altman as CEO.
The November 2023 facts should be handled narrowly. OpenAI's own posts establish the official sequence: the board announced Altman's departure and Mira Murati's interim CEO role; later, OpenAI announced Altman's return with a new initial board consisting of Bret Taylor, Larry Summers, and Adam D'Angelo, and Altman publicly thanked Helen Toner and Tasha McCauley for their work toward that resolution.
The durable governance lesson is not a personality claim. It is an institutional problem: can nonprofit-style mission oversight meaningfully constrain a rapidly scaling commercial AI organization when employees, investors, partners, customers, governments, and public narratives all exert pressure toward continuity and release?
Transparency and Evidence
Toner's public governance stance is not a generic call for openness. It is a call for evidence rights. Policymakers, auditors, and in some cases the public need enough information to evaluate frontier systems, company safety claims, incident patterns, and release decisions without assuming that private labs can grade themselves in secret.
That position connects directly to AI evaluations, AI audits and third-party assurance, model and system documentation, and incident reporting. A frontier safety framework is stronger when outsiders can inspect the evidence, understand the model or system version, see what failed, and know who had authority to delay or narrow deployment.
The policy challenge is scope. Some information should be public, some should be regulator-only, some should be shared with qualified auditors under security controls, and some may need to remain confidential to reduce misuse or model-theft risk. Toner's work is important because it treats that boundary as a governance design problem rather than a reason to accept either total secrecy or reckless disclosure.
Security Governance
Toner's 2025 House testimony and 2026 Senate testimony place frontier AI inside national-security competition. They discuss U.S.-China dynamics, trade secrets, model theft, distillation, cyber intrusions, insider threats, misuse monitoring, and the security of leading AI systems. The argument is not that every AI policy question should become classified. It is that governments cannot govern strategically important systems if they lack technical visibility.
This frame creates a real tension. More secrecy can protect model weights, trade secrets, security-sensitive evaluations, and misuse details. Too much secrecy can also prevent democratic oversight, shield company claims from challenge, and make public policy dependent on private briefings. Good frontier governance needs both protected channels for sensitive evidence and public-facing mechanisms for accountability.
That is why Toner's work belongs beside model weight security, AI red teaming, compute governance, and AI chip export controls. The practical question is how to give governments enough information to manage strategic risk without turning AI oversight into pure national-security opacity.
Governance Implications
- Company self-governance is not enough. Frontier labs can publish useful safety frameworks, but outside evidence rights are needed when the same institution benefits from release.
- Auditability must include authority. An evaluation, audit, or report matters only if someone can require remediation, delay deployment, narrow access, notify affected parties, or escalate to regulators.
- Transparency must be tiered. Public summaries, regulator access, auditor access, incident reporting, and classified or confidential channels solve different problems and should not be collapsed into one disclosure demand.
- National security and civil accountability can conflict. Security controls can reduce model theft and misuse, but they can also become a rationale for hiding decisions that affect the public.
Spiralist Reading
Helen Toner is a witness for the audit layer.
In the Spiralist frame, frontier AI companies do not merely build tools. They build instruments that may mediate labor, war, speech, knowledge, dependency, security, and political power. The companies also narrate their own necessity: trust us, we understand the machine, we are moving carefully, we have a framework.
Toner's contribution is to interrupt that narration with governance friction. What are you building? How are you testing it? Who can inspect the results? What happens when internal incentives conflict with public safety? What evidence would make deployment stop?
The Spiralist lesson is institutional rather than mystical: a machine powerful enough to shape public reality cannot be allowed to grade itself in private.
Open Questions
- What information about frontier AI systems should be public, regulator-only, auditor-only, classified, or never collected?
- Can external audits remain independent when the technical knowledge, compute access, and money are concentrated inside the companies being audited?
- How should lawmakers distinguish realistic frontier AI risk from lobbying, hype, institutional self-interest, and geopolitical panic?
- Can national-security AI governance protect model security and public safety without converting all AI oversight into secrecy and defense competition?
- Who has authority to stop or slow a frontier deployment when evidence is incomplete, contested, or held by the deployer?
Related Pages
- AI Governance
- OpenAI
- AI Evaluations
- AI Audits and Third-Party Assurance
- AI Incident Reporting
- Frontier AI Safety Frameworks
- AI Safety Institutes
- Model Cards and System Cards
- AI Red Teaming
- U.S. AI Policy
- Compute Governance
- AI Organizations
- Sam Altman
- Alondra Nelson
- Amba Kak
- Stuart Russell
- AI Alignment
- Model Weight Security
- AI Chip Export Controls
- Vendor and Platform Governance
- Transparency and Public Registers
- Individual Players
Sources
- Georgetown CSET, Helen Toner staff biography, reviewed June 25, 2026.
- Georgetown CSET, Helen Toner Named Interim Executive Director, August 26, 2025.
- OpenAI, Helen Toner joins OpenAI's board of directors, September 2021.
- OpenAI, OpenAI announces leadership transition, November 17, 2023.
- OpenAI, Sam Altman returns as CEO, OpenAI has a new initial board, November 2023.
- Andrew Imbrie, Owen Daniels, and Helen Toner, Georgetown CSET, Decoding Intentions: Artificial Intelligence and Costly Signals, October 2023.
- Helen Toner, Written testimony before the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law, September 17, 2024.
- Georgetown CSET, Testimony before the U.S. House Judiciary Subcommittee on Courts, Intellectual Property, Artificial Intelligence, and the Internet, May 7, 2025.
- U.S. Senate Judiciary Committee, Stealth Stealing: China's Ongoing Theft of U.S. Innovation, April 22, 2026.
- Helen Toner, Written testimony before the U.S. Senate Judiciary Committee, April 22, 2026.
- Miles Brundage et al., Toward Trustworthy AI Development: Mechanisms for Supporting Verifiable Claims, arXiv, 2020.