Capability Testing

Threat modeling. Maintain explicit, regularly updated threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public. for major threat categories, including at minimum CBRN, cyber offense, automated AI R&D, autonomous replication/adaptation, and persuasion/manipulation.

Internal & external deployment threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public.. Distinguish the threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public. most relevant to internal deploymentinternal deploymentAny usage of the model beyond training, evaluations by the safety/evaluations team(s), or safety testing by trusted third parties. Some examples that would constitute internal deployment include “dogfooding” (or use by employees in their work), and especially use in automated AI research, to generate training data, critiquing other models, or in agentic pipelines for research. and to external deployment in each threat category, and identify the evaluation suiteevaluation suiteThe set of evaluations performed during major evaluation rounds, including for pre-deployment testing and periodic risk reporting.In many cases, there should be distinct suites focusing on either internal deployment threat models or external deployment threat models. most suitable to each deployment context.¹It is acceptable for suites for internal and external deployment to be different. Some threat categories might be more or less relevant to certain deployment contexts.

Highly relevant evaluations. Suites of evaluations have at least one load-bearing evaluationload-bearing evaluationThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. per threat category that either:

Gaps in threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public.. In safety frameworks and risk reporting, explicitly acknowledge known gaps in coverage of threat categories or threat scenarios.

Most capable modelsMost capable modelsThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category.. Designate, for each threat category, an externally deployed most capable modelmost capable modelThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category., and an internally deployed most capable modelmost capable modelThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category., and update these designations as capabilities change.³In some cases, one model may be most capable across all threat categories. However, some models may be narrowly very capable in certain domains, and require more testing and mitigations than their general capability level would suggest.

Internal deploymentInternal deploymentAny usage of the model beyond training, evaluations by the safety/evaluations team(s), or safety testing by trusted third parties. Some examples that would constitute internal deployment include “dogfooding” (or use by employees in their work), and especially use in automated AI research, to generate training data, critiquing other models, or in agentic pipelines for research. evaluation. Before a most capable modelmost capable modelThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category.⁴For narrowly most capable models, load-bearing evaluations should be done for the threat category for which it is most capable. is first internally deployed, conduct a suite of load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. for internal deploymentinternal deploymentAny usage of the model beyond training, evaluations by the safety/evaluations team(s), or safety testing by trusted third parties. Some examples that would constitute internal deployment include “dogfooding” (or use by employees in their work), and especially use in automated AI research, to generate training data, critiquing other models, or in agentic pipelines for research. threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public. on the final modelfinal modelIdentical to model or system for deployment (though modifications to make the model “helpful-only” are allowed). or a near-final modelnear-final modelModel version from a slightly earlier checkpoint than the final model, with only minor differences with the final model. May also be a helpful-only version of a near-final model. Preferably accompanied by a timestamp or other metric demonstrating distance from the final model..

External deployment evaluation. Prior to external deployment of a most capable modelmost capable modelThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category.,⁴For narrowly most capable models, load-bearing evaluations should be done for the threat category for which it is most capable. conduct a suite of load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. for external deployment threat modelsthreat modelsShould specify a type of actor (including both sophistication and resourcing), a misuse vector, threat pathway(s), and the enabling AI capabilities of concern. Especially sensitive details should not be made public. on the final modelfinal modelIdentical to model or system for deployment (though modifications to make the model “helpful-only” are allowed). or a near-final modelnear-final modelModel version from a slightly earlier checkpoint than the final model, with only minor differences with the final model. May also be a helpful-only version of a near-final model. Preferably accompanied by a timestamp or other metric demonstrating distance from the final model..

Early capability evaluation. During post-training for a model, run at least one recurring evaluation per threat category at a pre-defined cadence.⁵Measuring model capabilities throughout post-training establishes a baseline performance trend, which can undermine later attempts by a situationally aware model to sandbag performance undetected.It’s also helpful for deciding what affordances can safely be granted to a model at a given point in development.

Model inventory. Maintain internal records of all models or systems, their capability/risk designations, and any major changes in affordances or model harnesses.

Evaluation logging. Maintain internal records of all evaluations or testing conducted on inventoried models or systems including timestamps and results.

Difficulty calibration. Ensure that a suite of load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. for a capability covers the relevant difficulty range needed to support capability conclusions and any desired comparisons between models or systems.⁶Example: If a single evaluation is being used to judge the relative capabilities of a new model vs. an older model, the evaluation should not be saturated for either model.

Contamination. Check for evidence of contamination of the model with test material, and flag evidence from tests with significant contamination as less reliable. Load-bearing evaluationsLoad-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. should not be contaminated.

Statistical power. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., design the evaluation to provide statistical power sufficient for the conclusion it supports.⁷Example: Pre-specify an effect size that the evaluation is designed to detect.

Grading reliability. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., where grading of model output is done by humans or an LLM-as-a-judge, perform inter-rater reliability checks.

Scoring. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., define a test’s scoring and aggregation rules before the model’s results are seen.

Quality control for evaluation material. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., perform quality control checks on evaluation material⁸Including, as applicable, test items/tasks, answer keys, rubrics, and scoring code. to ensure it doesn’t contain excessive errors or spurious failure modes.

Methodological strength of suite. Include at least one evaluation that is not multiple choice or simple short answer for each threat category in an evaluation suiteevaluation suiteThe set of evaluations performed during major evaluation rounds, including for pre-deployment testing and periodic risk reporting.In many cases, there should be distinct suites focusing on either internal deployment threat models or external deployment threat models..⁹Examples: Human uplift studies, realistic agentic tasks.

Suite correlations. Measure correlations between evaluations in a suite for a given threat category.¹⁰This shows the degree to which specific evaluations provide redundancy or independent information on a capability.

Gaps in evaluation suiteevaluation suiteThe set of evaluations performed during major evaluation rounds, including for pre-deployment testing and periodic risk reporting.In many cases, there should be distinct suites focusing on either internal deployment threat models or external deployment threat models.. In evaluation and risk reporting, explicitly acknowledge known gaps in an evaluation suiteevaluation suiteThe set of evaluations performed during major evaluation rounds, including for pre-deployment testing and periodic risk reporting.In many cases, there should be distinct suites focusing on either internal deployment threat models or external deployment threat models.’s coverage of threat scenarios, as well as any important methodological weaknesses of the suite.

Testing with minimal mitigationsmitigationsAny measure adopted by the developer that is relied on, in whole or in part, to reduce the likelihood or severity of a catastrophic risk. This could include not only technical safeguards (e.g., training-time alignment techniques, implementations of refusals, monitoring systems, and rate limits) but also other measures (e.g., usage policies and their enforcement).. For each load-bearing evaluationload-bearing evaluationThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., include results from a final or near-final ‘helpful-only’ model version with reduced safeguards.

Elicitation adequacy. Continue iteration on the elicitation setup for the model on a load-bearing evaluationload-bearing evaluationThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. until it no longer produces performance improvements that would be meaningful for decision-making.¹¹For example, if performance improvements are clearly not on-trend to cross a decision-relevant threshold, elicitation efforts do not need to continue even if there are still nominal performance gains. This includes:

Elicitation records. Preserve a record of iteration on the elicitation setup for an evaluation, including changelogs for prompts.

Inference budget calibration. Choose inference budgets for load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. to approximate the performance that a well-resourced threat actor could achieve.

Measures against model sandbagging. In the evaluation process, apply sufficient anti-sandbagging measures to have high confidence that your capability conclusions are not compromised by model sandbagging, including at least one of the following:

Ensure that the measures employed are sufficient to account for any selective sandbagging in specific threat categories.

Fine-tuning for capabilities accessible to threat actors. Where a model or system may be at risk of fine-tuning by threat actors,¹⁶For instance, where deployment will grant fine-tuning access to unvetted third parties, or where model theft is a significant possibility. include results for load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. with task-specific or category-specific fine-tuning.

Initial interpretation. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. that have been used previously, specify non-binding interpretations of score ranges¹⁷These do not need to be updated for every new model or evaluation run. If a previously established score threshold remains reasonable, it may be carried forward. (e.g. score thresholds) before conducting the evaluation on a deployment candidate, including how to interpret uncertainty.¹⁸E.g. where confidence intervals overlap with decision thresholds.

Updating interpretations. If a previous interpretation of evaluation results changes, record this change internally, and indicate any major updates as part of risk reporting.

Uncertainty quantification. For load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments., calculate confidence intervals as part of the evaluation’s results.

Sensitivity analysis. Perform sensitivity analyses on load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. to ensure that the conclusions are robust to reasonable variations in data analysis choices.¹⁹E.g. for scoring and aggregation rules, outlier sensitivity, choice of statistical methods.

Baselines. For at least one evaluation (not necessarily load-bearing) in each threat category, refer to relevant real-world baselines or points of reference for grounding the evaluation’s interpretation, beyond comparisons to other models.²⁰Baselines can be borrowed from previous work or existing literature.

Engage external evaluators. Regularly engage external evaluators²¹Including government AI safety bodies (e.g. UK AISI, US CAISI, the EU AI office), national security bodies (as appropriate), and independent organizations that specialize in evaluation/auditing (e.g. METR, Apollo, SecureBio). to either conduct or audit and validate at least one evaluation in each threat category, for example during pre-deployment testing or as part of quarterly risk reporting (see Transparency Principle 1).

External evaluator conditions. Where external evaluators are engaged, provide them with access and operating conditions compatible with AEF-1.

Public evaluation reports. When a most capable modelmost capable modelThe model or AI system designated by the developer as showing the best performance on complex tasks, compared with the developer's other models under similar conditions. Should be designated per threat category. is externally deployed, and/or as part of quarterly risk reporting (see Transparency Principle 1), publicly report on the methodology, results, and interpretation of load-bearing evaluationsload-bearing evaluationsThe developer's most important evaluations for decision-making, judged to be high quality and/or provide unique evidence.Load-bearing evaluations have certain minimum features (defined in Principle 3 and Principle 4) to be well-suited for risk judgments. in line with reporting recommendations such as STREAM.²²While STREAM was designed for ChemBio benchmark evaluations, much of it is applicable to other risk areas and evaluation methodologies.

Reporting concerns to leadership. Provide channels for reporting concerns or disagreements about the evaluation process, results, or interpretations to relevant leadership,²³E.g. safety/governance leadership, executive leadership, and the board of directors. with the option to report anonymously.

Internal communication records. Maintain internal records of decision-relevant communication artifacts²⁴Such as memos or presentations to leadership for decision-making meetings. related to evaluations between evaluation teams, internal governance bodies, and leadership.²⁵Explanation: This can enable process improvement and identification of “weak links” in communication.