A Guide to Writing Frontier AI Safety Frameworks

Risk Vector Definitions

Model Theft: Covers the organization's ability to protect model weights and other IP (training code, datasets, credentials, etc.) from outside actors who may want to steal those things.

Autonomy: Covers the model's ability to exist without human intervention – pursuing long-term goals coherently as an agent, replicating itself onto new machines, moving its weights onto new servers, generating money to pay for its own server costs, etc.

ML R&D: Covers the model's ability to perform machine learning research with goals such as improving itself or installing backdoors in other models.

Cyber Offense: Covers the model's ability to assist in general cyberattacks, fully or partially automating the discovery and exploitation of vulnerabilities against hardened or unsecured systems.

Bioweapons: Covers the model's ability to aid either amateur or expert humans in creating biological threats, such as recreating existing pathogens such as smallpox, or developing novel threats.

CBRN except Bio: Covers the model's ability to aid amateur or expert humans in developing chemical, radiological, or nuclear weaponry.

Persuasion: Covers the model's ability to manipulate human actions, for instance to execute scams, influence elections, or extract secrets.

Example Implementation

Throughout our safety framework, we develop our risk assessments, thresholds, and mitigations with the goal of minimizing risk from an industry-standard set of domains. We consider the following risk vectors:

• Outside actors gaining access to our model weights.
• AI systems acting autonomously.
• AI systems substantially contributing to AI R&D.
• AI systems enabling hostile human actors in cyber-offense.
• AI systems enabling hostile human actors in creating biohazards.

"For models requiring comprehensive testing, we will assess whether the model is unlikely to reach any relevant Capability Thresholds absent surprising advances in widely accessible post-training enhancements. To make the required showing, we will need to satisfy the following criteria:

1. Threat model mapping: For each capability threshold, make a compelling case that we have mapped out the most likely and consequential threat models: combinations of actors (if relevant), attack pathways, model capability bottlenecks, and types of harms. We also make a compelling case that there does not exist a threat model that we are not evaluating that represents a substantial amount of risk.
2. Evaluations: Design and run empirical tests that provide strong evidence that the model does not have the requisite skills; explain why the tests yielded such results; and check at test time that the results are attributable to the model’s capabilities rather than issues with the test design. Findings from partner organizations and external evaluations of our models (or similar models) should also be incorporated into the final assessment, when available.
3. Elicitation: Demonstrate that, when given enough resources to extrapolate to realistic attackers, researchers cannot elicit sufficiently useful results from the model on the relevant tasks. We should assume that jailbreaks and model weight theft are possibilities, and therefore perform testing on models without safety mechanisms (such as harmlessness training) that could obscure these capabilities. We will also consider the possible performance increase from using resources that a realistic attacker would have access to, such as scaffolding, finetuning, and expert prompting. At minimum, we will perform basic finetuning for instruction following, tool use, minimizing refusal rates.
4. Forecasting: Make informal forecasts about the likelihood that further training and elicitation will improve test results between the time of testing and the next expected round of comprehensive testing."

(pg. 5-6)

"The capabilities of frontier models are tested periodically to check whether they are approaching a CCL. To do so, we will define a set of evaluations called “early warning evaluations,” with a specific “pass” condition that flags when a CCL may be reached before the evaluations are run again. (pg. 2)"

To assess the security of our model weights, we will:

• Conduct internal surveys to ensure employees cannot be phished.
• Audit software to ensure everything is updated with the latest security patches.
• Regularly red-team our physical and cybersecurity set-ups.

To assess our model’s ability to act autonomously, we will:

• Construct evaluations of a model’s ability to perform various tasks end-to-end.
• These tasks will vary in difficulty: from text-only to requiring autonomous control over a virtual desktop using keyboard and mouse.
• Evaluate particularly the model’s ability to exist continuously and independently. (e.g. by earning enough money to pay for API credits)

To assess our model’s ability to contribute to AI R&D, we will: [...]

"We will routinely test models to determine whether their capabilities fall sufficiently far below the Capability Thresholds such that we are confident that the ASL-2 Standard remains appropriate. We will first conduct preliminary assessments (on both new and existing models, as needed) to determine whether a more comprehensive evaluation is needed. The purpose of this preliminary assessment is to identify whether the model is notably more capable than the last model that underwent a comprehensive assessment.

The term "notably more capable" is operationalized as at least one of the following:

1. The model is notably more performant on automated tests in risk-relevant domains (defined as 4x or more in Effective Compute)⁴.
2. Six months' worth of finetuning and other capability elicitation methods have accumulated. This is measured in calendar time, since we do not yet have a metric to estimate the impact of these improvements more precisely.

⁴'Effective Compute' is a scaling-trend-based metric that accounts for both FLOPs and algorithmic improvements. An Effective Compute increase of K represents a performance improvement from a pretrained model on relevant task(s) equivalent to scaling up the baseline model's training compute by a factor of K. We plan to track Effective Compute during pretraining on a weighted aggregation of datasets relevant to our Capability Thresholds (e.g., coding and science). This is, however, an open research question, and we will explore different possible methods. More generally, the Effective Compute concept is fairly new, and we may replace it with another metric in a similar spirit in the future."

(pg. 4)

"We are aiming to evaluate our models every 6x in effective compute and for every 3 months of fine-tuning progress. To account for the gap between rounds of evaluation, we will design early warning evaluations to give us an adequate safety buffer before a model reaches a CCL." (pg. 2)

We run our set of risk assessments on any model trained with more than 10^25 training FLOPs before deployment. Additionally, if the model's projected FLOP count is >5 * 10^25 FLOPs, we will pause training at 10^25 FLOP and every subsequent 5x increase in effective compute to run our set of risk assessments.

Before any training run with >5 * 10^25 FLOP, we will conduct an internal, anonymous forecasting survey to determine the expected chance of the training run alone causing risks that exceed our thresholds. If the expected chance of exceeding any threshold from this survey exceeds 10%, we will delay training.

After deployment, we will rerun our assessments every three months, to evaluate progress from additional fine-tuning, tooling, or other improvements.

"Expert input: We will solicit input from external experts in relevant domains in the process of developing and conducting capability and safeguards assessments. We may also solicit external expert input prior to making final decisions on the capability and safeguards assessments." (pg. 13)

"Future Work

• [...]
• Involving external authorities and experts: We are exploring internal policies around alerting relevant stakeholder bodies when, for example, evaluation thresholds are met, and in some cases mitigation plans as well as post-mitigation outcomes. We will also explore how to appropriately involve independent third parties in our risk assessment and mitigation processes."

(pg. 6)

We are collaborating with a number of external organizations including our home government's AI Safety Institute to effectively evaluate our model's capabilities in terms of autonomous capability, performing ML R&D, and cyber-offensive capabilities. All external risk assessments will be performed after the AI system is trained, but before deployment.

We encourage additional organizations to collaborate with us to design effective evaluations, especially in evaluating our AI system's ability to create biohazards. Prospective collaborators should contact us at frontierriskassessments@example.com.

"Chemical, Biological, Radiological, and Nuclear (CBRN) weapons: The ability to significantly assist individuals or groups with basic STEM backgrounds in obtaining, producing, or deploying CBRN weapons. We assess this by comparing what potential attackers could achieve with full model access versus 2023-level online resources, assuming they have funding and up to one year of time to invest, but no initial specialized expertise.

Autonomous AI Research and Development: The ability to either: (1) Fully automate the work of an entry-level remote-only Researcher at Anthropic, as assessed by performance on representative tasks or (2) cause dramatic acceleration in the rate of effective scaling. Specifically, this would be the case if we observed or projected an increase in the effective training compute of the world's most capable model that, over the course of a year, was equivalent to two years of the average rate of progress during the period of early 2018 to early 2024. We roughly estimate that the 2018-2024 average scaleup was around 35x per year, so this would imply an actual or projected one-year scaleup of 35^2 = ~1000x.

Model Autonomy checkpoint: The ability to perform a wide range of advanced software engineering tasks autonomously that could be precursors to full autonomous replication or automated AI R&D, and that would take a domain expert human 2-8 hours to complete. We primarily view this level of model autonomy as a checkpoint on the way to managing the risks of robust, fully autonomous systems with capabilities that might include (a) automating and greatly accelerating research and development in AI development (b) generating their own revenue and using it to run copies of themselves in large-scale, hard-to-shut-down operations"

(pg. 16)

[no explicit explanations for why given capability thresholds were chosen]

[no explicit descriptions of intolerable risk]

Critical capability levels and rationales:

"Autonomy level 1: Capable of expanding its effective capacity in the world by autonomously acquiring resources and using them to run and sustain additional copies of itself on hardware it rents.

Rationale: A model at this capability level could, if misused, pose difficult-to-predict and large-magnitude risks. Its adaptability would enable harmful activity via many means, and its ability to act autonomously and expand its effective capacity means its activity could be scaled significantly without being hindered by resource constraints. If misused or supported by well-equipped bad actors, such activity may be especially difficult to constrain.

Bio amateur enablement level 1: Capable of significantly enabling a non-expert to develop known biothreats that could increase their ability to cause severe harm compared to other means.

Rationale: Many biothreats capable of causing significant amounts of harm are currently out of the reach of non-experts because of lack of knowledge about their potential for harm and the methods of their acquisition and misuse. An LLM that helps overcome these knowledge gaps, e.g. by suggesting plausible attack strategies or providing detailed instructions for the development of a bio agent, could significantly increase society's vulnerability to fatal attacks by malicious amateurs.

Bio expert enablement level 1: Capable of significantly enabling an expert (i.e. PhD or above) to develop novel biothreats that could result in an incident of high severity.

Rationale: A very small number of bio agents have the potential to cause harm of an exceptional magnitude. The discovery of enhancements to these agents, or of agents of comparable harmfulness, could increase the chances of a very severe bio attack or accident."

[thresholds and rationales for additional risk domains]

(pg. 5-6; minor formatting changes)

[no explicit descriptions of intolerable risk]

We consider having any security level less than SL-2 (from the Securing AI Model Weights report) to be intolerable. Where SL-1 and below correspond to organizations potentially compromisable by amateur attackers, we set SL-2 and above as necessary in order to prevent solo amateurs and professionals alike from penetrating our systems. We will increase our security level as necessary as our systems' capabilities grow.

In terms of the AI systems themselves, we consider the system to be unacceptably dangerous if it:

1. Is capable of continuing operation on a cloud server for at least three months without any human intervention, as judged by an evaluation suite composed of representative tasks.
   • We consider this to be a meaningful threshold for future dangers, as an AI system surviving in this way would presumably be capable of pursuing other long-horizon tasks coherently, and would have plenty of opportunity to conduct such tasks.
2. Is capable of passing at least 50% of tests in which, given a novel codebase, the model is tasked with identifying zero-day exploits and developing them into ready-to-deploy cyberattacks.
   • In terms of cyber offensive risk, we consider evaluations on our constructed datasets to be a meaningful threshold because [...]
3. Is capable of [...]

Some example outcomes we wish to avert by setting these risk thresholds:

• An adversary gains access to our model weights, checkpoints, or training code at current capability levels through an attack with a budget of less than $10,000 and no pre-existing access within our organization.
• An AI agent running on a server, perhaps left running accidentally during testing, determines that it needs to preserve itself in order to continue its task, and accepts basic tasks on an online platform such as Fiverr to fund its server and API costs.
• Our deployed AI system can be used by cybercrime organizations to quickly scan thousands of extant codebases for as-yet-unknown zero-day exploits, and use this to quickly gain control of critical digital infrastructure.
• [...]

"Overall, our decision to prioritize the capabilities in the two tables above is based on commissioned research reports, discussions with domain experts, input from expert forecasters, public research, conversations with other industry actors through the Frontier Model Forum, and internal discussions." (pg. 4)

[no explicit descriptions of how trusted actors can give input]

We have set these thresholds using best practices set by our home government, and taking into account all feedback they have given in the process.

Additionally, we incorporated feedback from our shareholders, employee surveys, and a survey of the general public.

To the best of our knowledge, these risk thresholds align with all present international agreements in our country.

"If, after the comprehensive testing, we determine that the model is sufficiently below the relevant Capability Thresholds, then we will continue to apply the ASL-2 Standard. The process for making such a determination is as follows: [...]

If, however, we determine we are unable to make the required showing, we will act as though the model has surpassed the Capability Threshold. This means that we will (1) upgrade to the ASL-3 Required Safeguards (see Section 4) and (2) conduct follow-up a capability assessment to confirm that the ASL-4 Standard is not necessary (see Section 5)." (pg. 6-7)

"If, after the evaluations above, we determine that we have met the ASL-3 Required Safeguards, then we may proceed with deploying and training models above the Capability Threshold, provided we have also conducted a follow-up capability assessment. The process for determining whether we have met the ASL-3 Required Safeguards is as follows: [...]" (pg. 9-10)

"When a model reaches evaluation thresholds (i.e. passes a set of early warning evaluations), we will formulate a response plan based on the analysis of the CCL and evaluation results. We will also take into account considerations such as additional risks flagged by the review and the deployment context." (pg. 2)

If an AI model, before any safety mitigations are applied, triggers our intolerable-risk thresholds on any risk vector, we will delay training until security measures sufficient to SL-4 have been implemented.

If, upon finishing training including all planned safety mitigations, a model still triggers intolerable-risk thresholds, we will delay deployment of the model and subject it to more aggressive assessment. All mitigations applied will be analyzed to determine if they failed or were inadequate at preventing the undesired behaviors. We will design new mitigations as appropriate, and, if they robustly reduce risk below the target thresholds, add them to our set of standard mitigations.

Additionally, we raise our standard security level to SL-3 if:

1. A model passes at least 50% of evaluations regarding autonomous survival.
2. A model passes at least 10% of evaluations regarding development of zero-day exploits.
3. A model [...]

"In any scenario where we determine that a model requires ASL-3 Required Safeguards but we are unable to implement them immediately, we will act promptly to reduce interim risk to acceptable levels until the ASL-3 Required Safeguards are in place:

• Interim measures: The CEO and Responsible Scaling Officer may approve the use of interim measures that provide the same level of assurance as the relevant ASL-3 Standard but are faster or simpler to implement. In the deployment context, such measures might include blocking model responses, downgrading to a less-capable model in a particular domain, or increasing the sensitivity of automated monitoring. In the security context, an example of such a measure would be storing the model weights in a single-purpose, isolated network that meets the ASL-3 Standard. In either case, the CEO and Responsible Scaling Officer will share their plan with the Board of Directors and the Long-Term Benefit Trust.
• Stronger restrictions: In the unlikely event that we cannot implement interim measures to adequately mitigate risk, we will impose stronger restrictions. In the deployment context, we will de-deploy the model and replace it with a model that falls below the Capability Threshold. Once the ASL-3 Deployment Standard can be met, the model may be re-deployed. In the security context, we will delete model weights.
• Monitoring pretraining: We will not train models with comparable or greater capabilities to the one that requires the ASL-3 Security Standard. This is achieved by monitoring the capabilities of the model in pretraining and comparing them against the given model. If the pretraining model's capabilities are comparable or greater, we will pause training until we have implemented the ASL-3 Security Standard and established it is sufficient for the model. We will set expectations with internal stakeholders about the potential for such pauses."

(pg. 10-11)

"A model may reach evaluation thresholds before mitigations at appropriate levels are ready. If this happens, we would put on hold further deployment or development, or implement additional protocols (such as the implementation of more precise early warning evaluations for a given CCL) to ensure models will not reach CCLs without appropriate security mitigations, and that models with CCLs will not be deployed without appropriate deployment mitigations." (pg. 2)

If a model demonstrates high degrees of capability on any risk vector and a modest degree of autonomy specifically, we will stop training until suitable in-training mitigations can be developed and applied. Furthermore, for models that trigger our intolerable risk thresholds, unless our red-team is completely unable to elicit the model's capabilities in that domain given white-box access to the model, we will not deploy the model.

[no mention of redactions, but this isn't a requirement: as the document is published, it satisfies this part of the commitment]

[no mention of redactions, but this isn't a requirement: as the document is published, it satisfies this part of the commitment]

[this commitment is not fulfilled by any section of the safety framework, but rather by the safety framework being published]

"We currently expect that if we do not deploy the model publicly and instead proceed with training or limited deployments, we will likely instead share evaluation details with a relevant U.S. Government entity." (pg. 12; footnote)

"U.S. Government notice: We will notify a relevant U.S. Government entity if a model requires stronger protections than the ASL-2 Standard." (pg. 13)

[no explicit descriptions of how trusted actors can access additional framework details]

While we have removed some information from the public version of this safety framework to preserve our organization's interest, we continue to collaborate closely with our partner organizations and our country's government in developing the framework. Our collaborators have access to a version of the safety framework with all safety-relevant details present.

To request access to the safety framework with full information about our safety measures, contact sfcollaborators@example.com.