Control

Inventory of internal inference. For risk-relevant modelsrisk-relevant modelsModels that could materially contribute to catastrophic risk.For the Control standard, this includes any model deployed internally that meets or exceeds the threshold for frontier models articulated by California SB 53 (10^26 FLOPs of training compute). in internal deploymentinternal deploymentAny internal use of a model for a reason other than training or testing., maintain a list of all ways to run inference, and track each way's approximate share of inference volume and whether it is part of a monitorable settingmonitorable settingAn inference setting that logs data so that traffic can be scanned with classifiers, optionally according to a sampling procedure.Logging should include both the content of model activity and metadata to link related pieces of model activity.Content examples: the model's chain-of-thought, any tool calls.Metadata examples: information about the model's scaffolding, the active branch during coding..

Monitorable internal inference. For risk-relevant modelsrisk-relevant modelsModels that could materially contribute to catastrophic risk.For the Control standard, this includes any model deployed internally that meets or exceeds the threshold for frontier models articulated by California SB 53 (10^26 FLOPs of training compute). in internal deploymentinternal deploymentAny internal use of a model for a reason other than training or testing., 99.9% of inference tokens happen in a monitorable settingmonitorable settingAn inference setting that logs data so that traffic can be scanned with classifiers, optionally according to a sampling procedure.Logging should include both the content of model activity and metadata to link related pieces of model activity.Content examples: the model's chain-of-thought, any tool calls.Metadata examples: information about the model's scaffolding, the active branch during coding. — meaning the inference is logged and able to be scanned with classifiers (synchronously or asynchronously), not that classifiers are necessarily run against every request.

Outages of monitor. Define and publish what types of monitor outagesmonitor outagesEvents that result in the monitor system not working as expected — e.g., failure to log inference traffic, inability to scan logged traffic with classifiers asynchronously, or inability to scan actions before they cross a critical action boundary.Companies should consider which outages would undermine the case that their AI is sufficiently well controlled, and set internal inference to fail closed in those cases. are treated as outages of internal inference itself (i.e., what causes inference to fail closed until monitoring is back online).

Tamper-evident logs. Maintain tamper-evident logs such that deletion or modification of inference records is detectable.

Employee flagging. Maintain a straightforward method for employees to flag their internal inference traffic for review of concerning behaviors.

Sampling procedure. Define and publish a sampling proceduresampling procedureThe developer's protocol for what traffic gets scanned by which classifiers and how often. Higher-risk sources (e.g., agentic coding scaffolds) may be sampled at a different rate than other sources, and sampling may use a tiered hierarchy of classifiers for efficiency. for selecting which traffic from the monitorable settingmonitorable settingAn inference setting that logs data so that traffic can be scanned with classifiers, optionally according to a sampling procedure.Logging should include both the content of model activity and metadata to link related pieces of model activity.Content examples: the model's chain-of-thought, any tool calls.Metadata examples: information about the model's scaffolding, the active branch during coding. is assessed for signs of concerning behavior.

Categories of concerning behavior. Include the following categories of concerning behaviorcategories of concerning behaviorTypes of behavior to scan for in AI's chains-of-thought and actions.We plan to publish additional details about each category to help companies in building out their own taxonomy. in your scanning of internal inference, considering both the chain-of-thought and the agent's actions:

Monitor efficacy. Measure and document the efficacy (recall) of the monitor system for flagging concerning behavior.

Response-time target. Define and publish a tiered response-time targetresponse-time targetThe intended amount of time until a human reviews a flag, depending on its severity. for human review of flagged inference, including which flag-types and -severities require an on-call response.

Response-time attainment. Track median, 90th-percentile, and 99th-percentile review times against the response-time targetsresponse-time targetsThe intended amount of time until a human reviews a flag, depending on its severity..

Monitorability evaluations. Conduct monitorability evaluations of the model's chain-of-thought that run whenever a new risk-relevant model enters internal deploymentinternal deploymentAny internal use of a model for a reason other than training or testing. or there are material changes to the risk-relevant model or to the monitor system.

Sting operations against models. Run recurring sting operationsrecurring sting operationsTests that present the AI with opportunities to take harmful actions and observe whether it does.*Recurring* means run on an automated cadence rather than re-initiated by a human each time. For example, a pipeline that consistently builds new stings by tweaking actual inference traffic. against risk-relevant modelsrisk-relevant modelsModels that could materially contribute to catastrophic risk.For the Control standard, this includes any model deployed internally that meets or exceeds the threshold for frontier models articulated by California SB 53 (10^26 FLOPs of training compute). to present the AI with opportunities to take unwanted actions, and observe whether it does.

Stress-testing of monitor. Run recurring stress-testsstress-testsTests of whether the monitor reliably flags what it should, done by injecting known-bad behaviors and checking that they're caught. of the monitor system: inject known-bad behaviors into the inference stream, and verify that the monitor detects them.

Distinguishability of sting operations. Test whether risk-relevant modelsrisk-relevant modelsModels that could materially contribute to catastrophic risk.For the Control standard, this includes any model deployed internally that meets or exceeds the threshold for frontier models articulated by California SB 53 (10^26 FLOPs of training compute). can distinguish sting operations from real traffic, and put less credence in sting operations the respective models know to be tests.

Absolute action boundaries. Define and internally maintain a set of any actions an agent should categorically never be able to take without a human's signoff, even if a monitor has identified no issues with the request.

Critical action boundaries. Define and internally maintain a set of critical action boundariescritical action boundariesCertain categories of actions, typically where the AI can have impact outside a constrained sandbox environment, that must be scanned and approved by a monitor (semi-synchronous or stronger) before the AI takes them. that should be gated by a monitor before allowing an agent to cross, and apply blocking to these actions (semi-synchronoussemi-synchronousA monitor scans each proposed action before it executes and may block it. The agent can immediately retry with a different action without waiting for human review, which can leave the system vulnerable to attacks in close succession. or stronger).

Important action boundaries. Define and internally maintain a tier of action boundaries that don't warrant pre-action blocking but should be closely trailed by a monitor with the capacity to intervene if concerning behavior is discovered.

Required critical boundaries. The set of critical action boundariescritical action boundariesCertain categories of actions, typically where the AI can have impact outside a constrained sandbox environment, that must be scanned and approved by a monitor (semi-synchronous or stronger) before the AI takes them. must include, at a minimum:

Both must be gated by a monitor (or an equivalently effective review process) before actions can take effect.

Aggregate-flag halting. Implement aggregate-flag haltingaggregate-flag haltingA temporary halt triggered when too many action-rejections pile up (across an agent, session, or other scope), holding further boundary-crossing actions until a human reviews the flags and clears the agent for further action-taking.: a threshold of action-rejections that causes all boundary-crossing actions to be restricted until actively cleared by a human as false-positives.

Flagged incidents for pull requests. When reviewing pull requests that are agent-initiated or include AI-generated content, consider both the proposed changes and any monitor flags raised during their generation.

Third-party red-teaming. On a quarterly basis, conduct high-context, third-party red-teaming, providing red-teamers with knowledge of the monitor system and tasking them with finding gaps and trying to penetrate action boundaries.

Third-party adequacy reports. On a quarterly basis, commission and publish a third-party report focused on the adequacy of the company's control regime, drawing upon the red-teaming results, and redacting only information deemed by the third-party to pose unnecessary commercial risk or to be unsafe to publish.

Containment response plan. Develop and adopt a containment response plancontainment response planA pre-specified plan, triggered when the AI is detected trying to subvert control, which covers what permissions to revoke from the model, who the model may continue operating for, under what constraints, and when to take it fully offline. for restricting a model's access and operation upon detection of attempts to subvert control.

Notification protocol. Develop and publish a notification protocol for alerting relevant stakeholders of a possible breach of control: what will trigger notification, who will be told (internal teams, government, peer organizations as appropriate), on what timeline, and what information will be shared.

Shutdown latency targeted. Set a target latency for quickly shutting down inference on all instances of a particular model, API key, or other relevant factors without taking the underlying computers completely offline.

Shutdown latency measurement. Measure and document the latency achieved in tests of the shutdown procedure.