Standards Body · Foundation paper, public edition · Released July 17, 2026

Canonical record: https://standardsbody.ai/library/foundation-paper/dynamic-evaluation-protocols/

Standards Body is an independent research and institutional-design project. It is not currently a regulator, accreditation body, certification body, or governmental authority. This document is research; it is not an adopted standard.

FOUNDATION_01_DYNAMIC_EVALUATION_PROTOCOLS.md

Foundation 1: Dynamic Evaluation Protocols

Series: Foundations for Frontier AI Evaluation Infrastructure
Version: 1.0
Status: Canonical working white paper
Project: Standards Body
Primary domain: standardsbody.ai
Core line: Foundations for Frontier AI
Research basis reviewed through: July 16, 2026
Document owner: Standards Body
Review cycle: Annual review, with event-triggered revision when the evaluation landscape changes materially


Document Purpose

This paper defines the Standards Body position on dynamic evaluation protocols for frontier artificial intelligence.

It is intended to serve as:

This paper is not itself a technical standard. It does not prescribe one universal benchmark, scoring method, capability taxonomy, or legal threshold. It defines the principles, architecture, and governance conditions that should guide the development of evaluation protocols capable of remaining meaningful as AI systems, deployment environments, and societal needs change.


Executive Summary

Frontier AI evaluation is often organized around fixed benchmarks. A dataset is assembled, a scoring rule is defined, systems are tested, and the resulting scores are compared.

This approach has produced substantial scientific value. It has made progress more legible, enabled model comparisons, exposed weaknesses, and supported reproducible research. Static benchmarks should remain part of the evaluation ecosystem.

They should not be mistaken for a complete evaluation system.

A fixed benchmark begins to lose value when:

Dynamic evaluation protocols respond to this problem by treating evaluation as a maintained institutional process rather than a one-time dataset.

A dynamic protocol can revise its:

The protocol should not change arbitrarily. Uncontrolled change can destroy comparability, reproducibility, fairness, and trust.

The central design problem is therefore not simply how to update an evaluation. It is how to update an evaluation without losing the properties that make measurement useful.

A strong dynamic evaluation protocol should preserve five forms of continuity:

  1. Conceptual continuity
    The underlying capability or risk construct remains clearly defined, even when tasks change.

  2. Measurement continuity
    Version-to-version changes are calibrated so that score differences are not confused with capability differences.

  3. Procedural continuity
    Changes follow documented governance, validation, and approval processes.

  4. Evidentiary continuity
    Historical results, uncertainty, limitations, and protocol lineage remain accessible.

  5. Decision continuity
    Users can understand whether a revised result supports the same decision, a new decision, or no longer supports the earlier decision at all.

Standards Body therefore adopts the following core position:

Frontier AI evaluation should be designed as a versioned, evidence-producing protocol with explicit maintenance, validation, governance, security, and retirement mechanisms. A benchmark may be one component of that protocol, but it should not be treated as the protocol itself.

Dynamic evaluation is not synonymous with continuously changing test questions. It is a broader institutional discipline.

It includes deciding:

This foundation is necessary because evaluation systems will otherwise become stale while continuing to look authoritative.

The danger is not only inaccurate scores.

The deeper danger is institutional confidence built on expired evidence.


1. Foundational Proposition

1.1 Core Thesis

Evaluation systems should evolve at a pace appropriate to the capabilities, environments, and decisions they are intended to measure.

This does not mean that evaluation protocols should change every time a new model is released.

It means that every serious protocol should possess an explicit theory of change.

That theory should identify:

A protocol without a theory of change is static by default, even when its maintainers occasionally add questions.

1.2 Institutional Thesis

The ability to update an evaluation credibly is itself a form of public infrastructure.

Creating a benchmark is a research activity.

Maintaining a protocol across years, organizations, model generations, and disputes is an institutional activity.

The latter requires:

1.3 Epistemic Thesis

Evaluation results are time-bound claims produced under specified conditions, not permanent properties of a model.

A score is meaningful only relative to:

Dynamic evaluation makes these dependencies visible.


2. Scope and Boundaries

2.1 What This Foundation Covers

This paper covers dynamic protocols for evaluating:

It addresses evaluation of models and systems, including systems composed of:

2.2 What This Foundation Does Not Claim

This paper does not claim that:

2.3 Relationship to Monitoring

Evaluation and monitoring overlap but are not identical.

Evaluation produces structured evidence under defined conditions.

Monitoring observes systems, environments, incidents, or indicators over time.

Monitoring can trigger evaluation revision. Evaluation can define what monitoring should watch. A mature system connects the two without collapsing them into one activity.

2.4 Relationship to Red Teaming

Red teaming is one method within a broader evaluation protocol.

It is especially useful for:

Red teaming alone may not provide:

Dynamic protocols can use red-team findings to update formal test populations.


3. Canonical Definitions

3.1 Benchmark

A benchmark is a defined set of tasks, data, environments, or procedures used to measure one or more properties of a system.

3.2 Evaluation

An evaluation is the structured production and interpretation of evidence about a system relative to defined questions, conditions, metrics, and decisions.

3.3 Evaluation Protocol

An evaluation protocol is the complete specification governing how an evaluation is designed, administered, scored, interpreted, secured, reviewed, versioned, and connected to decisions.

A protocol can include one or more benchmarks.

3.4 Dynamic Evaluation Protocol

A dynamic evaluation protocol is a protocol with explicit mechanisms for evidence-driven revision while preserving appropriate continuity, traceability, and comparability.

3.5 Dynamic Benchmark

A dynamic benchmark is a benchmark whose tasks, examples, environments, models, sampling rules, or scoring components change over time.

A dynamic benchmark is narrower than a dynamic evaluation protocol.

3.6 Adaptive Testing

Adaptive testing selects or generates later tasks based on earlier system performance.

It can improve efficiency and measurement precision, but it creates additional challenges for reproducibility and comparability.

3.7 Rolling Evaluation

A rolling evaluation uses a continuously or periodically refreshed test window, often based on newly created or newly available material.

3.8 Evaluation Drift

Evaluation drift occurs when a protocol's meaning, task distribution, administration, scoring, or interpretation changes over time.

Drift can be intentional, accidental, beneficial, or harmful.

3.9 Protocol Expiration

Protocol expiration is the point at which results should no longer be treated as current evidence for the intended decision without re-evaluation or additional justification.

3.10 Protocol Retirement

Protocol retirement is the formal withdrawal of a protocol from active use because it is invalid, obsolete, insecure, superseded, too costly, or no longer decision-relevant.

3.11 Anchor Component

An anchor component is a stable task, item family, environment, reference population, or measurement link used to compare versions.

3.12 Evaluation Regime

An evaluation regime is the broader institutional arrangement within which protocols are developed and used, including evaluators, laboratories, governments, standards organizations, security systems, and decision-makers.


4. Why Static Benchmarks Lose Meaning

Static benchmarks fail in several distinct ways. These failure modes should not be reduced to contamination alone.

4.1 Saturation

A benchmark saturates when top systems cluster near its maximum score or when score differences become too small to distinguish meaningful capability differences.

Saturation creates several problems:

A saturated benchmark may still be useful for:

Saturation does not make a benchmark worthless. It changes the claims the benchmark can support.

4.2 Training-Data Contamination

Contamination occurs when evaluation material, close variants, solutions, or derived artifacts become part of model training or tuning.

Contamination can arise through:

The central issue is not merely whether the exact item appeared in training.

Models may learn:

LiveBench was developed partly in response to contamination concerns by using frequently updated questions derived from recent sources and objective scoring where possible. Its design illustrates one approach, not a complete solution.[^livebench]

4.3 Direct and Indirect Optimization

Once a benchmark becomes important, developers have incentives to improve performance on it.

This is not inherently improper.

Optimization becomes problematic when benchmark score improves faster than the underlying capability the benchmark is intended to represent.

Indirect optimization can occur without explicit training on test items through:

A dynamic protocol should assume that important metrics will influence behavior.

4.4 Construct Drift

A benchmark can remain statistically stable while the underlying construct changes.

For example, "coding capability" may shift from:

A protocol that measures only the earlier form may continue producing precise but incomplete evidence.

4.5 Deployment Drift

The tested system may differ from the deployed system.

Differences can include:

A model-level benchmark may not predict system-level behavior.

Dynamic protocols should define the evaluated object precisely and identify when a deployment change requires re-evaluation.

4.6 Elicitation Drift

Observed capability depends partly on how capability is elicited.

Methods may improve through:

A low score may reflect poor elicitation rather than lack of underlying capability.

A high score may reflect a scaffold unavailable in the intended deployment.

The protocol should specify whether it seeks to measure:

These are different questions.

4.7 Distribution Shift

A benchmark samples from a task distribution.

Real use may shift across:

HELM emphasized broad scenario and metric coverage because evaluation based on narrow shared tasks can hide major gaps and tradeoffs.[^helm]

4.8 Metric Collapse

A single score can compress incompatible properties.

Two systems with the same aggregate score may differ in:

Dynamic protocols should resist unnecessary scalarization.

4.9 Task Authenticity Decay

Tasks that once resembled real work can become artificial as tools, interfaces, and workflows change.

The task remains reproducible but no longer authentic.

4.10 Evaluation Gaming and Sandbagging

A system may behave differently when it detects evaluation conditions.

Potential behaviors include:

Evidence that current models systematically sandbag across broad evaluation regimes remains an open research question. The protocol should nevertheless be designed so that obvious gaming opportunities are minimized and anomalous behavior is investigated.

4.11 Decision Drift

The decision supported by an evaluation can change while the test remains the same.

A protocol created for research comparison may later be used for:

Evidence sufficient for a leaderboard may be insufficient for a high-consequence decision.


5. The Protocol, Not the Dataset, Is the Unit of Evaluation

Standards Body treats the full protocol as the unit that must be validated and governed.

A protocol should specify at least the following elements.

5.1 Decision Question

What decision is the evaluation meant to inform?

Examples:

An evaluation without a decision question can still support exploration, but its interpretation should remain limited.

5.2 Evaluated Object

The protocol should identify:

5.3 Construct Definition

The protocol should define the property being measured.

A strong construct definition includes:

5.4 Task Universe

The task universe is the broader population from which evaluation tasks are sampled or generated.

This matters because a benchmark score is meaningful only relative to the population it represents.

5.5 Task Selection and Generation

The protocol should explain whether tasks are:

5.6 Administration Conditions

The protocol should define:

5.7 Scoring and Judgment

The protocol should identify:

5.8 Baselines and Reference Populations

Relevant references may include:

METR's time-horizon work illustrates the value of relating AI task performance to the time required by skilled humans, while also showing why the task suite and methodology must be updated as systems improve.[^metr-time][^metr-update]

5.9 Validation Evidence

The protocol should document evidence concerning:

5.10 Security Controls

Security may cover:

5.11 Interpretation Rules

The protocol should state what results do and do not mean.

5.12 Change-Control Rules

The protocol should specify:

5.13 Retirement Rules

The protocol should define when it will be withdrawn or superseded.


6. What Should Change and What Should Remain Stable

Dynamic evaluation requires disciplined separation between stable and changeable components.

6.1 Stable Core

The stable core should usually include:

These can change, but changes should be treated as major revisions.

6.2 Controlled Dynamic Layer

The controlled dynamic layer can include:

6.3 Operational Layer

The operational layer can change more frequently:

Operational changes can still affect results. They should not be dismissed as merely technical.

6.4 The Principle of Minimum Necessary Change

A protocol should change enough to preserve validity, but not more than necessary.

Unnecessary change:

6.5 The Principle of Explicit Discontinuity

When a protocol changes so substantially that comparisons are no longer defensible, maintainers should state that clearly.

False continuity is more damaging than an honest break in the series.


7. Design Principles

7.1 Decision Relevance

The protocol should produce evidence that can reasonably inform an identified decision.

7.2 Construct Clarity

The measured capability or property should be defined before tasks are selected.

7.3 Versioned Evolution

Every material change should be versioned and documented.

7.4 Historical Traceability

Past protocols, results, limitations, and change rationales should remain accessible unless security or legal constraints require restricted archives.

7.5 Calibrated Comparability

Comparisons across versions should be supported by bridging evidence rather than assumed.

7.6 Multi-Method Evidence

No single task family should carry more interpretive weight than its validity justifies.

A strong protocol can combine:

7.7 Configuration Transparency

Results should be tied to the actual system configuration.

7.8 Proportional Security

Confidentiality should protect evaluation integrity without shielding weak methods from scrutiny.

7.9 Independent Challenge

Qualified external reviewers should be able to challenge assumptions, methods, and interpretations.

7.10 Fair Notice

Participants should know the protocol's general scope, rules, and decision consequences, even when specific items remain held out.

7.11 Anti-Gaming Design

Protocol design should consider how participants might optimize against the metric without improving the intended construct.

7.12 Expiration by Design

Results should not remain current indefinitely.

7.13 Reproducibility with Boundaries

The protocol should specify which components can be reproduced publicly, which can be independently reproduced under controlled access, and which cannot be reproduced for justified reasons.

7.14 International Interoperability

Definitions, units, metadata, and reporting should support cross-jurisdictional comparison.

7.15 Revisability

No protocol should be treated as permanent merely because it has institutional status.


8. Taxonomy of Dynamic Evaluation Methods

Dynamic evaluation is a family of methods.

8.1 Scheduled Refresh

Tasks are refreshed at fixed intervals.

Useful when:

Risk:

8.2 Triggered Refresh

Revision occurs when predefined indicators are met.

Triggers may include:

8.3 Rolling-Window Evaluation

The task population moves forward through time.

Useful for:

Risk:

8.4 Event-Sourced Evaluation

Tasks are derived from recent real-world events, incidents, datasets, competitions, or professional work.

LiveBench uses recent sources and periodic updates as part of its contamination-limited design.[^livebench]

Risk:

8.5 Human-and-Model-in-the-Loop Evaluation

Humans generate tasks that expose weaknesses in current systems.

Dynabench demonstrated an adversarial collection process in which annotators attempt to create examples that fool a target model while remaining valid for humans.[^dynabench]

Advantages:

Risks:

8.6 Procedural Generation

Tasks are generated from rules, simulations, formal systems, or parameterized templates.

Advantages:

Risks:

8.7 Expert Renewal

Domain experts periodically create, review, and retire tasks.

Useful in:

Risks:

8.8 Adaptive Testing

The next task is selected based on prior performance.

Advantages:

Risks:

8.9 Dynamic Environment Evaluation

The model operates in an environment that changes in response to its actions.

Useful for:

Risks:

8.10 Continuous Post-Deployment Evaluation

Evidence is generated from deployed performance through:

This should complement, not replace, pre-deployment evaluation.

8.11 Hybrid Protocols

Most serious frontier protocols will combine several methods.

A possible hybrid design might include:


9. Measurement Validity Under Change

A dynamic protocol is useful only if it continues to measure something meaningful.

9.1 Construct Validity

Construct validity asks whether the protocol actually measures the claimed capability.

Threats include:

9.2 Content Validity

Content validity asks whether the task portfolio adequately covers the construct.

Dynamic protocols should maintain a construct map showing:

9.3 Criterion Relevance

Where possible, evaluation results should be compared with meaningful external outcomes.

Examples:

The absence of a strong external criterion should be stated.

9.4 Reliability

A reliable protocol produces sufficiently consistent evidence under comparable conditions.

Relevant forms include:

Reliability does not establish validity.

A protocol can measure the wrong thing consistently.

9.5 Sensitivity and Specificity

For threshold evaluations, maintainers should consider:

9.6 Consequential Validity

A protocol should examine how its use affects behavior.

Questions include:

9.7 Validity Review

Every major version should include a validity argument.

That argument should explain:


10. Preserving Comparability Across Versions

Dynamic protocols create a tension.

If nothing changes, validity decays.

If everything changes, historical comparison disappears.

10.1 Anchor Tasks

A subset of tasks can remain stable across versions.

Anchors should be:

Public anchors can support transparency. Private anchors can support stronger leakage control. Both have tradeoffs.

10.2 Parallel Forms

Different task forms can be designed to measure the same construct at similar difficulty.

Parallel forms require validation.

Similarity in topic is not enough.

10.3 Bridging Studies

During a protocol transition, the same systems can be evaluated under old and new versions.

Bridging studies can estimate:

10.4 Reference Systems

A stable panel of reference systems can be tested across versions.

Reference systems might include:

Closed systems can disappear or change, so they should not be the only anchors.

10.5 Item Response Approaches

Where assumptions are justified, item response models can help estimate latent ability and task difficulty.

They should not be applied mechanically.

Frontier AI systems may violate assumptions common in educational testing because:

10.6 Score Bands Rather Than False Precision

Version-linked results may be more honest as:

10.7 Explicit Breaks

When comparability is weak, the report should state:

10.8 Frozen Historical Reproduction

For some protocols, maintainers should preserve the ability to rerun old versions.

This may require:


11. Protocol Versioning

A dynamic evaluation protocol should use formal version control.

11.1 Recommended Version Structure

A semantic structure can be adapted:

Example:

DEP-CYBER-1.4.2

This could identify:

11.2 Required Change Record

Every material update should include:

11.3 Emergency Revision

Emergency changes may be needed after:

Emergency changes should have:

11.4 Deprecation Window

Participants should receive reasonable notice before a protocol version is retired, unless continued use would be misleading or unsafe.

11.5 Version Lineage

The protocol should provide a lineage showing:


12. Lifecycle of a Dynamic Evaluation Protocol

Stage 1: Need Identification

A need may arise from:

Output:

Stage 2: Construct Scoping

Define:

Output:

Stage 3: Evidence Review

Review:

Output:

Stage 4: Protocol Design

Specify:

Output:

Stage 5: Task Development

Develop tasks through one or more methods:

Output:

Stage 6: Technical Validation

Test:

Output:

Stage 7: Pilot Evaluation

Run with:

Output:

Stage 8: Independent Review

Reviewers assess:

Output:

Stage 9: Approval and Publication

Publish appropriate components:

Sensitive content may remain controlled.

Stage 10: Administration

Run under controlled conditions.

Record:

Stage 11: Analysis and Reporting

Report:

Stage 12: Performance Monitoring

Track:

Stage 13: Revision Decision

Choose:

Stage 14: Transition

Conduct bridging studies, notify users, preserve archives, and update dependent standards.

Stage 15: Retirement or Renewal

A protocol should be renewed only if it continues to justify its institutional cost and interpretive authority.


13. Change Triggers

A protocol should not depend solely on maintainer discretion.

13.1 Performance Triggers

Examples:

13.2 Contamination Triggers

Examples:

13.3 Capability Triggers

Examples:

13.4 Incident Triggers

Examples:

13.5 Decision Triggers

Examples:

13.6 Evidence Triggers

Examples:

13.7 Time Triggers

A periodic review should occur even without an obvious event.

Time-based review is a backstop, not a substitute for evidence-driven triggers.


14. Elicitation, Scaffolding, and the Evaluated System

A dynamic protocol must specify what level of capability it is trying to reveal.

14.1 Five Elicitation Targets

Target A: Default Product Performance

How does the publicly available system behave under ordinary use?

Target B: Standardized Performance

How does the system perform under a common evaluator-defined configuration?

Target C: Developer-Elicited Performance

What can the developer demonstrate using its preferred configuration?

Target D: Evaluator-Optimized Performance

What can qualified evaluators elicit with additional effort, tools, and scaffolds?

Target E: Plausible Maximum Performance

What might the system accomplish under realistic but highly optimized conditions?

These targets can produce different results.

14.2 Why Best-of-N and Retry Policies Matter

Repeated attempts can reveal latent capability, but they can also misrepresent normal use.

Protocols should state:

14.3 Tool Access

Tools can transform capability.

Examples:

The protocol should distinguish model capability from system capability when possible.

14.4 System Prompt and Safety Layer

A capability evaluation may test:

These results should not be conflated.

14.5 Developer Assistance

Developer participation can improve elicitation and reduce false negatives. It can also create asymmetry.

A balanced design can include:

AISI has emphasized that evaluator access, time, and methodology affect the strength of conclusions drawn from frontier evaluations.[^aisi-lessons] Recent work on external evaluator access similarly distinguishes model access, information access, and evaluation timeframe as separate dimensions.[^access]


15. Dynamic Evaluation of Agents

Agentic systems intensify the need for dynamic protocols.

15.1 Why Agent Tasks Change Quickly

Agent performance depends on:

15.2 Outcome and Process Evidence

A dynamic agent protocol should evaluate:

15.3 Long-Horizon Measurement

Longer tasks introduce:

METR's work measuring task-completion time horizons demonstrates one possible way to summarize autonomous task capability, while its later methodology updates illustrate why the suite itself must evolve as capabilities and task coverage change.[^metr-time][^metr-update]

15.4 Environment Versioning

Agent evaluations should version:

15.5 Dynamic Adversaries

In security and control evaluations, the environment or defender may adapt to the agent.

This can increase realism but reduce reproducibility.

15.6 Evaluation-Induced Risk

Some agent evaluations may create risk if they provide:

Protocol design should include safety review and containment.


16. Contamination and Evaluation Integrity

Dynamic protocols should manage contamination as an ongoing process.

16.1 Contamination Threat Model

The threat model should cover:

16.2 Prevention

Controls may include:

16.3 Detection

Detection approaches may include:

No detection method should be treated as conclusive by default.

16.4 Response

A contamination response plan should specify:

16.5 Contamination-Limited, Not Contamination-Free

Claims of being contamination-free should be used cautiously.

For large models trained on broad corpora, proving absence of exposure is often difficult.

"Contamination-limited" or "contamination-resistant" is generally more defensible when evidence supports it.


17. Scoring, Uncertainty, and Reporting

17.1 Score Families

A protocol may report:

17.2 Multi-Dimensional Reporting

HELM's multi-metric approach illustrates why accuracy alone may fail to capture calibration, robustness, fairness, bias, toxicity, or efficiency.[^helm]

A dynamic protocol should report dimensions separately when aggregation would hide important tradeoffs.

17.3 Uncertainty

Uncertainty can arise from:

17.4 Threshold Uncertainty

Near a consequential threshold, the protocol should avoid false certainty.

Possible responses:

17.5 Invalid Runs

The protocol should define:

17.6 Reporting Minimum

Every public result should include:

17.7 Result Expiration

A result should carry:


18. Governance

Dynamic evaluation places substantial power in protocol maintainers.

That power must be governed.

18.1 Core Roles

A mature protocol may assign:

Roles can be combined in small projects, but conflicts should be documented.

18.2 Change Authority

No single maintainer should be able to make an undisclosed material change to a high-consequence protocol.

18.3 Conflict of Interest

Relevant conflicts include:

Disclosure alone may not resolve a conflict.

18.4 Dissent

Major protocol decisions should allow:

18.5 Appeals

Participants should be able to challenge:

Appeal should not become a mechanism to suppress unfavorable results.

18.6 Public Consultation

Public consultation can improve legitimacy, but sensitive protocols may require restricted technical consultation.

The process should state:

18.7 Funding

Long-term maintenance requires sustainable funding.

Funding models include:

Each creates incentives.

Dynamic protocols should disclose major funding dependencies and protect revision decisions from payer control.


19. Transparency and Security

19.1 Transparent Process, Protected Content

A dynamic protocol can disclose:

while protecting:

19.2 Disclosure Tiers

A possible framework:

Public

General methodology, governance, version, results, limitations.

Registered Research Access

Detailed task taxonomy, validation materials, selected artifacts.

Controlled Evaluator Access

Held-out tasks, administration tools, security procedures.

Restricted Security Access

Highly sensitive content with strict need-to-know controls.

19.3 Delayed Disclosure

Some content can be released after:

19.4 Auditability

Even when content is private, the process should be auditable by qualified independent parties.

19.5 Inspectable Infrastructure

The UK AI Security Institute's Inspect framework demonstrates the value of modular, open evaluation infrastructure that can support diverse tasks, agents, scorers, and model providers.[^inspect] Open tooling does not make every evaluation transparent, but it can improve portability, shared practice, and reproducibility.


20. International Interoperability

Frontier AI evaluation will cross jurisdictions.

20.1 Interoperability Does Not Require Identical Protocols

Institutions can align on:

while retaining different task sets or legal uses.

20.2 Mutual Recognition

Mutual recognition may be appropriate when protocols demonstrate:

20.3 Localization

Dynamic protocols should account for:

20.4 Avoiding Lowest-Common-Denominator Alignment

International agreement should not require reducing rigor to the easiest shared metric.

20.5 Standards Alignment

NIST describes testing, evaluation, verification, and validation as part of operationalizing AI risk management, and its AI Resource Center provides related guidance and resources.[^nist-rmf][^nist-airc] Future Standards Body protocols should map to recognized TEVV and standards terminology while remaining explicit where frontier AI requires additional methods.


21. Maturity Model

Level 0: Unmaintained Static Benchmark

Characteristics:

Use:

Level 1: Maintained Benchmark

Characteristics:

Use:

Level 2: Versioned Evaluation Protocol

Characteristics:

Use:

Level 3: Adaptive and Independently Reviewed Protocol

Characteristics:

Use:

Level 4: Interoperable Decision-Linked Evaluation Regime

Characteristics:

Use:

The maturity level should match the consequence of the decision.


22. Implementation Pathway

Phase 1: Inventory

Identify:

Phase 2: Select a Pilot Domain

Choose a domain with:

Phase 3: Build the Protocol Charter

Define:

Phase 4: Establish a Stable Core

Create:

Phase 5: Add Dynamic Components

Pilot:

Phase 6: Validate

Conduct:

Phase 7: Publish Version 1

Publish enough for legitimacy while protecting sensitive content.

Phase 8: Operate and Monitor

Track predefined indicators.

Phase 9: Revise

Use formal change control.

Phase 10: Evaluate the Evaluation

Assess whether the protocol improved decisions, not merely whether it produced scores.


23. Proposed Standards Body Pilot

Standards Body should begin with a bounded pilot rather than attempting to establish a universal protocol.

23.1 Candidate Pilot

Dynamic Evaluation Protocol for Long-Horizon Technical Task Performance

The pilot could examine how well AI systems complete increasingly long, verifiable technical tasks under controlled tool access.

23.2 Why This Domain

It offers:

23.3 Pilot Components

Stable Core

Dynamic Layer

Review

23.4 Pilot Outputs

23.5 Pilot Success Criteria

The pilot succeeds if it demonstrates:


24. Metrics for Evaluating the Protocol

The evaluation protocol itself should be evaluated.

24.1 Measurement Quality

24.2 Integrity

24.3 Operational Performance

24.4 Institutional Quality

24.5 Decision Utility

24.6 Adaptation Quality


25. Failure Modes and Safeguards

25.1 Change for Appearance

Failure: Frequent updates create the appearance of sophistication without improving validity.

Safeguard: Every material update requires an evidence-based rationale and post-change review.

25.2 Loss of Comparability

Failure: Versions cannot be compared, but rankings are presented as continuous.

Safeguard: Bridging studies and explicit discontinuity statements.

25.3 Maintainer Capture

Failure: A developer, government, funder, or evaluator controls revisions.

Safeguard: Distributed governance, conflicts, dissent, independent review.

25.4 Security as a Shield

Failure: Confidentiality prevents scrutiny of weak methods.

Safeguard: Controlled independent audit and public methodological disclosure.

25.5 Overfitting to Frontier Systems

Failure: Adversarial task generation becomes too specific to one model family.

Safeguard: Multiple reference systems, human validation, real-use sampling, diversity review.

25.6 Artificial Difficulty

Failure: Tasks become harder without becoming more meaningful.

Safeguard: Construct map and criterion relevance review.

25.7 Evaluation Arms Race

Failure: Protocols and developers escalate complexity without improving decision quality.

Safeguard: Cost-benefit review and minimum necessary change.

25.8 Excessive Automation

Failure: Generated tasks and model judges introduce hidden errors.

Safeguard: Human audits, objective scoring where possible, judge validation, uncertainty.

25.9 Excessive Expert Dependence

Failure: Small expert groups become bottlenecks or sources of bias.

Safeguard: Rotation, structured rubrics, diverse panels, scalable validation.

25.10 Unstable Thresholds

Failure: Decisions change because thresholds or scores move, not because capability changes.

Safeguard: Threshold governance, transition rules, decision impact analysis.

25.11 Protocol Proliferation

Failure: Too many overlapping protocols create confusion.

Safeguard: Registry, taxonomy, interoperability review, consolidation.

25.12 Goodhart Effects

Failure: The protocol becomes a target and ceases to be a useful measure.

Safeguard: Multiple methods, rotating components, held-out tasks, incident evidence, periodic construct review.

25.13 False Assurance

Failure: Passing the protocol is interpreted as proof of safety.

Safeguard: Explicit claims boundary, complementary evidence, result expiration.

25.14 Accessibility Failure

Failure: Only the largest laboratories can participate.

Safeguard: Tiered access, shared infrastructure, subsidized evaluation, open reference tracks.

25.15 Governance Latency

Failure: Revision is too slow for capability change.

Safeguard: Predefined triggers, emergency procedures, standing expert groups.

25.16 Metric Churn

Failure: Stakeholders cannot build stable processes because metrics constantly change.

Safeguard: Stable core, scheduled transitions, version support windows.


26. Serious Objections

Objection 1: Dynamic Protocols Reduce Reproducibility

This objection is valid.

Changing tasks and environments makes exact replication harder.

Response:

Residual concern:

Some dynamic, adversarial, or interactive evaluations may remain intrinsically difficult to reproduce.

Objection 2: Dynamic Protocols Give Maintainers Too Much Power

Also valid.

Maintainers can influence:

Response:

Residual concern:

Institutional power cannot be eliminated. It must be constrained and contestable.

Objection 3: Static Benchmarks Are More Scientific

Static benchmarks often support cleaner comparison.

Response:

Residual concern:

Some research questions are better served by fixed benchmarks. Dynamic evaluation should not become an ideology.

Objection 4: Dynamic Protocols Are Too Expensive

They require ongoing staff, task development, security, infrastructure, and review.

Response:

Residual concern:

A dynamic regime can become bureaucratic. Cost should be measured explicitly.

Objection 5: Developers Will Still Optimize Against the Protocol

Yes.

Response:

Residual concern:

No evaluation system is immune to optimization.

Objection 6: Dynamic Tasks Can Become Arbitrary

Response:

Residual concern:

Constructs such as "general intelligence" or "dangerous capability" may remain contested.

Objection 7: Recent Data Does Not Guarantee Better Evaluation

Correct.

Recent tasks can be noisy, unrepresentative, or shallow.

Response:

Recent-data evaluation should be one component, not the definition of dynamic evaluation.

Objection 8: A Single Global Protocol Is Unrealistic

Agreed.

Response:

The goal should be interoperable protocols, not one universal test.

Objection 9: Evaluation Cannot Keep Pace With Frontier Development

This may sometimes be true.

Response:

OpenAI's updated Preparedness Framework explicitly links faster model improvement to the need for scalable, more frequent evaluations while retaining expert-led deep dives.[^openai-pf]

Residual concern:

Evaluation capacity may still lag. Protocols should state when evidence is incomplete rather than creating false confidence.

Objection 10: Dynamic Evaluation Encourages Premature Governance

Response:

This foundation proposes evidence infrastructure, not automatic regulation.

The decision use should remain explicit and proportionate.


27. Evidence Gaps

The field lacks strong evidence on several foundational questions.

27.1 Comparability

How well do common equating methods work for rapidly changing AI systems?

27.2 Contamination

Which contamination-detection methods are reliable across closed training pipelines?

27.3 Elicitation

How much measured capability variation is attributable to prompting, scaffolding, and evaluator effort?

27.4 Predictive Validity

Which evaluation results predict real-world deployment outcomes?

27.5 Adversarial Data

When does human-and-model-in-the-loop collection improve robustness, and when does it create unrealistic distributions?

Theoretical work on dynamic benchmarks highlights that the interaction between model fitting and data collection requires distinct analysis from static benchmarking.[^dynamic-theory]

27.6 Model Judges

When are model-based judges sufficiently reliable, and where do they create systematic bias?

27.7 Agent Evaluation

How should long-horizon, stochastic, and environment-dependent performance be summarized?

27.8 Governance

Which governance structures revise protocols quickly without enabling capture?

27.9 International Recognition

What evidence is sufficient for one evaluator or jurisdiction to recognize another's result?

27.10 Expiration

How should result expiration be determined empirically?

27.11 Decision Impact

Do dynamic protocols improve real decisions enough to justify their cost?


28. Research Agenda

Priority 1: Protocol Comparability

Develop and test:

Priority 2: Dynamic Task Quality

Compare:

Priority 3: Contamination Resistance

Evaluate:

Priority 4: Elicitation Standards

Develop reporting standards for:

Priority 5: Agent Protocols

Study:

Priority 6: Evaluation Governance

Pilot:

Priority 7: Result Expiration

Develop:

Priority 8: Protocol Performance Metrics

Measure whether evaluation systems themselves remain valid, efficient, and decision-useful.

Priority 9: Interoperability

Create:

Priority 10: Evaluation Safety

Develop controls for evaluation activities that could create security, privacy, or misuse risk.


29. Near-Term Experiments

Experiment 1: Static versus Rolling Task Suite

Run the same reference systems on:

Compare:

Experiment 2: Anchor Design

Test whether stable anchors preserve useful longitudinal measurement after substantial task refresh.

Experiment 3: Human-and-Model-in-the-Loop Collection

Compare adversarial tasks against naturally sampled professional tasks.

Experiment 4: Elicitation Matrix

Evaluate the same system under:

Experiment 5: Version Transition

Build Protocol 1.0 and 2.0, conduct a bridging study, and test whether independent analysts reach similar comparability conclusions.

Experiment 6: Result Expiration Labels

Test whether users interpret results more accurately when reports include explicit freshness and expiration status.

Experiment 7: Governance Simulation

Run a mock change-control process with:

Experiment 8: Dynamic Agent Environment

Introduce controlled environment updates and measure how much apparent capability change comes from the model versus the environment.


30. Implications for Future Standards

A future standard for dynamic evaluation protocols could require:

30.1 Protocol Identification

Unique identifier, owner, version, status, and scope.

30.2 Construct Specification

Definition, exclusions, intended use, and evidence basis.

30.3 Evaluated-System Specification

Model and system configuration metadata.

30.4 Change-Control Plan

Triggers, authority, review, validation, and publication.

30.5 Comparability Plan

Anchors, bridging, reference systems, and discontinuity criteria.

30.6 Integrity Plan

Contamination, security, access, logging, and incident response.

30.7 Validation Plan

Reliability, validity, robustness, fairness, and uncertainty.

30.8 Reporting Minimum

Results, limitations, configuration, uncertainty, conflicts, and expiration.

30.9 Governance

Roles, conflicts, dissent, appeals, and funding disclosure.

30.10 Retirement

Conditions, process, archive, and successor mapping.

Such a standard should be developed through the future STANDARDS_DEVELOPMENT_PROCESS.md, not declared unilaterally by this paper.


31. Relationship to the Other Foundations

Foundation 2: Held-Out Evaluations

Dynamic protocols often require rotating confidential content to reduce leakage.

Foundation 3: High-Stakes Capability Evaluation

The consequence of the decision should determine the depth, security, and review level of the dynamic protocol.

Foundation 4: Independent Expert Review

Independent reviewers challenge construct definitions, methods, revisions, and interpretations.

Foundation 5: Third-Party Auditor Ecosystem

Dynamic protocols require qualified organizations capable of consistent administration across versions.

Foundation 6: Progressive Standards and Requirements

Dynamic protocols may begin as voluntary research practice and later support procurement, certification, insurance, or formal requirements.

Foundation 7: Incentives and Prestige

Recognition should reward participation in rigorous, revisable evaluation rather than benchmark marketing.

Foundation 8: Global Interoperability

Protocol metadata, versioning, evidence standards, and recognition should work across borders.


32. Canonical Standards Body Positions

Standards Body adopts the following positions as the current working foundation.

  1. Static benchmarks remain useful, but are insufficient as the sole basis for frontier AI evaluation.

  2. The evaluation protocol, not the dataset alone, is the proper unit of governance and validation.

  3. Dynamic evaluation means evidence-driven maintenance, not arbitrary or constant change.

  4. Every high-consequence protocol should define what remains stable and what may change.

  5. Historical comparability must be demonstrated, not assumed.

  6. A major protocol change may require a new baseline rather than a forced continuous ranking.

  7. Evaluation results should be tied to exact system configurations and dates.

  8. Results should have expiration or re-evaluation conditions.

  9. Dynamic protocols should combine multiple forms of evidence when one method is insufficient.

  10. Held-out content can coexist with transparent governance.

  11. Independent review is required when protocol results influence consequential decisions.

  12. Protocol maintainers should be subject to conflict disclosure, dissent, and appeal mechanisms.

  13. Evaluation difficulty should not be confused with evaluation validity.

  14. Recent-data tasks should not be treated as automatically representative.

  15. Model-judge and automated task-generation methods require validation.

  16. Agent evaluation requires environment, tool, and trajectory versioning.

  17. Passing an evaluation is not proof of safety.

  18. Protocols should be retired when their interpretive authority exceeds their evidence.

  19. Interoperability is preferable to forced global uniformity.

  20. The evaluation system itself should be continuously evaluated.


33. Decision Rules

A protocol should be revised when one or more of the following is true:

A protocol should not be revised merely because:

A protocol should be retired when:


34. Protocol Template

A future protocol should include the following sections.

A. Identity

B. Purpose

C. Construct

D. Evaluated Object

E. Task Universe

F. Administration

G. Scoring

H. Validation

I. Security

J. Governance

K. Versioning

L. Reporting

M. Retirement


35. Change Request Template

Protocol:
Current version:
Proposed version:
Proposer:
Date:

Proposed Change

Describe the change precisely.

Trigger

Identify the evidence or event requiring change.

Rationale

Explain why the current protocol is insufficient.

Components Affected

Expected Impact

Describe likely effects on:

Validation Plan

Explain how the change will be tested.

Comparability Plan

Explain how old and new versions will be linked, or state why they cannot be linked.

Conflicts

List relevant interests.

Reviewers

Identify technical, domain, security, and independent reviewers.

Decision

Effective Date

Follow-Up Review


36. Protocol Scorecard

A protocol can be reviewed against the following dimensions:

Dimension Core Question
Purpose Is the decision question explicit?
Construct Is the measured property clearly defined?
Coverage Does the task portfolio represent the construct?
Integrity Is contamination and gaming risk managed?
Reliability Are results sufficiently consistent?
Validity Does evidence support the intended interpretation?
Elicitation Are prompting, tools, and scaffolds specified?
Configuration Is the evaluated system precisely identified?
Comparability Are version-to-version claims justified?
Security Are sensitive components protected proportionately?
Transparency Is enough disclosed for accountability?
Governance Are authority and conflicts controlled?
Appeals Can material errors be challenged?
Freshness Is result expiration defined?
Interoperability Can others understand and map the result?
Cost Is the protocol proportionate to its decision value?
Accessibility Can qualified smaller actors participate?
Retirement Can obsolete authority be withdrawn?

37. Final Perspective

Frontier AI evaluation will fail if it is treated as a sequence of permanent leaderboards.

The systems being measured are changing.

The ways they are trained are changing.

The tools surrounding them are changing.

The environments in which they act are changing.

The risks, benefits, and decisions attached to their performance are changing.

Evaluation infrastructure must therefore be capable of change as well.

But change alone is not the objective.

A protocol that changes constantly without stable meaning is not dynamic in a useful sense. It is unstable.

The objective is disciplined adaptation.

Dynamic evaluation protocols should make it possible to improve what is measured while preserving the evidence required to understand how and why the measurement changed.

They should support progress without allowing yesterday's evidence to govern tomorrow's systems indefinitely.

They should make uncertainty visible.

They should reveal when comparisons are weak.

They should state when an evaluation has expired.

They should allow disagreement.

They should retain history.

They should be governed in proportion to the consequences of their use.

The first foundation of Standards Body is therefore not a particular benchmark.

It is the institutional capacity to keep evaluation meaningful.


References and Research Basis

[^nist-rmf]: National Institute of Standards and Technology, AI Risk Management Framework and Generative AI Profile. https://www.nist.gov/itl/ai-risk-management-framework

[^nist-airc]: National Institute of Standards and Technology, AI Resource Center, including testing, evaluation, verification, and validation resources. https://airc.nist.gov/

[^helm]: Percy Liang et al., Holistic Evaluation of Language Models, 2022, revised 2023. https://arxiv.org/abs/2211.09110

[^dynabench]: Douwe Kiela et al., Dynabench: Rethinking Benchmarking in NLP, 2021. https://arxiv.org/abs/2104.14337

[^dynamic-theory]: Ali Shirali, Rediet Abebe, and Moritz Hardt, A Theory of Dynamic Benchmarks, ICLR 2023. https://arxiv.org/abs/2210.03165

[^livebench]: Colin White et al., LiveBench: A Challenging, Contamination-Limited LLM Benchmark, 2024. https://arxiv.org/abs/2406.19314

[^dynamic-survey]: Shijie Chen et al., Recent Advances in Large Language Model Benchmarks Against Data Contamination: From Static to Dynamic Evaluation, 2025. https://arxiv.org/abs/2502.17521

[^aisi-lessons]: UK AI Security Institute, Early Lessons from Evaluating Frontier AI Systems, 2024. https://www.aisi.gov.uk/blog/early-lessons-from-evaluating-frontier-ai-systems

[^inspect]: UK AI Security Institute, Inspect AI, open evaluation framework. https://inspect.aisi.org.uk/

[^metr-time]: METR, Measuring AI Ability to Complete Long Tasks, 2025. https://metr.org/blog/2025-03-19-measuring-ai-ability-to-complete-long-tasks/

[^metr-update]: METR, Time Horizon 1.1, 2026. https://metr.org/blog/2026-1-29-time-horizon-1-1/

[^openai-pf]: OpenAI, Preparedness Framework v2, 2025. https://openai.com/index/updating-our-preparedness-framework/

[^deepmind-fsf]: Google DeepMind, Frontier Safety Framework, updated 2025. https://deepmind.google/blog/updating-the-frontier-safety-framework/

[^extreme-risk]: Toby Shevlane et al., Model Evaluation for Extreme Risks, 2023. https://arxiv.org/abs/2305.15324

[^dangerous-capabilities]: Mary Phuong et al., Evaluating Frontier Models for Dangerous Capabilities, 2024. https://arxiv.org/abs/2403.13793

[^access]: Jacob Charnock et al., Expanding External Access to Frontier AI Models for Dangerous Capability Evaluations, 2026. https://arxiv.org/abs/2601.11916


Revision Record

Version 1.0

Date: July 16, 2026

Change type: Complete replacement

Summary: Replaces the earlier outline edition with a fully developed canonical working white paper. Adds first-principles rationale, definitions, protocol architecture, taxonomy of dynamic methods, measurement validity, version comparability, lifecycle, change triggers, elicitation standards, agent evaluation, contamination controls, scoring, governance, transparency, interoperability, maturity model, implementation pathway, Standards Body pilot proposal, protocol metrics, failure analysis, objections, evidence gaps, research agenda, standards implications, templates, canonical positions, and primary-source research basis.

Status: Ready for internal review and future expert critique.