Standards Body · Foundational source, public edition · Released July 17, 2026

Canonical record: https://standardsbody.ai/library/foundational-source/evaluation-philosophy/

Standards Body is an independent research and institutional-design project. It is not currently a regulator, accreditation body, certification body, or governmental authority. This document is research; it is not an adopted standard.

EVALUATION_PHILOSOPHY.md

Standards Body Evaluation Philosophy

Project: Standards Body
Primary domain: standardsbody.ai
Core line: Foundations for Frontier AI
Document type: Canonical philosophy of evaluation, measurement, interpretation, and decision use
Version: 1.0
Status: Approved foundational source
Document owner: Standards Body
Applies to: All Standards Body evaluations, protocols, benchmarks, task suites, evidence cases, review processes, standards proposals, assurance activities, public claims, registries, pilots, research programs, and institutional decisions
Related canonical sources: PROJECT_IDENTITY.md, TERMINOLOGY.md, FOUNDATIONS.md, FOUNDATIONS_APPENDIX.md, EVIDENCE_STANDARDS.md, RESEARCH_METHODOLOGY.md, TAXONOMY.md, and the eight foundation papers
Research basis reviewed through: July 16, 2026
Review cycle: Annual review, with event-triggered revision following material advances in frontier AI capability, evaluation science, measurement theory, model behavior, assurance practice, or institutional use


Authority Note

This document states the evaluation worldview of Standards Body.

It does not:

Where a law, regulation, contract, recognized standard, ethics requirement, or domain-specific professional obligation imposes a stronger requirement, the stronger requirement governs.


Document Purpose

This document explains what evaluation is for, what makes it meaningful, how it should be interpreted, and where its authority ends.

It is the canonical source for Standards Body positions on:

This document exists because the word evaluation is often used to describe very different activities.

A one-page benchmark leaderboard, a controlled red-team exercise, a year-long field study, a system card, a management-system audit, a held-out capability test, and an accredited laboratory assessment may all be described as evaluation.

They are not equivalent.

Their evidence differs in:

A credible institution must preserve those distinctions.

The governing philosophical position is:

Evaluation is the structured production and interpretation of evidence for a bounded claim or decision under uncertainty.

Evaluation is not a score.

Evaluation is not proof of safety.

Evaluation is not a substitute for judgment.

Evaluation is not valid merely because it is quantitative, hidden, difficult, expensive, official, or conducted by a prestigious institution.

Evaluation earns authority when the inference from observed evidence to the intended claim is justified.


Executive Summary

Frontier AI evaluation is often treated as a contest.

Models are ranked.

Scores are announced.

A result is compressed into one number.

The number is then used to support claims about intelligence, safety, risk, progress, deployment readiness, or social consequence.

This is understandable.

Numbers are portable.

Leaderboards are legible.

Benchmarks create a shared reference point.

They can reveal real capability differences.

They can also produce false confidence.

A benchmark may be saturated, contaminated, narrow, poorly scored, unrepresentative, under-elicited, overfit, or disconnected from the decision it is used to support.

A model may perform well on short, clean tasks and poorly on long, ambiguous work.

A system may perform better than its base model because of tools, memory, scaffolding, or human support.

A system may perform worse in deployment because of latency, cost, user behavior, changing environments, or unreliable integration.

A hidden test may reduce direct gaming while remaining invalid.

A public test may support reproducibility while becoming less informative over time.

A red team may identify important failures without estimating their frequency.

A mechanism-based finding may reveal internal structure without proving operational behavior.

An operational incident may reveal a real failure pathway without establishing general prevalence.

Evaluation therefore requires a philosophy of inference.

The Standards Body position can be summarized through twelve propositions.

1. Evaluation begins with a claim or decision

An evaluation should answer:

A test without an intended interpretation may produce data, but it does not yet produce a justified institutional conclusion.

2. The evaluated object must be precise

The object may be:

A model name alone is rarely enough for a consequential result.

3. Validity concerns the interpretation, not the prestige of the instrument

The central validity question is:

Does the evidence support the intended interpretation and use?

A benchmark is not valid in the abstract.

It may be useful for one claim and invalid for another.

4. Reliability is necessary but not sufficient

A consistently wrong or narrow measure can be reliable.

A valid evaluation should normally be sufficiently reliable for its intended decision, but reliability alone does not establish construct validity, generalization, fairness, or practical relevance.

5. Evaluation conditions are part of the result

Prompts, tools, retries, scaffolds, fine-tuning, time, compute, human assistance, and environment affect measured capability.

A result without these conditions is incomplete.

6. Capability is not risk

Capability evidence may inform risk.

Risk also depends on:

7. Evaluation should use portfolios, not single instruments

Consequential decisions should normally combine:

8. Evaluation should be dynamic

Frontier systems, tasks, threats, and methods change.

Protocols need:

9. Evaluation integrity and evaluation transparency must coexist

Protected tasks can preserve validity.

Transparent governance preserves legitimacy.

Exact content may be confidential while purpose, construct, method class, evaluator role, uncertainty, limitations, and result status remain visible.

10. A negative result has limited meaning

Failure to demonstrate a capability may result from:

The preferred default conclusion is:

The capability was not demonstrated under the assessed conditions.

11. Evaluation is an institutional act

Evaluators select:

These choices require governance, not only technical execution.

12. Evaluation has limits

Evaluation cannot prove:

The deepest Standards Body position is:

Evaluation is structured evidence for bounded decisions under uncertainty, not a machine for converting complex systems into certainty.


1. Foundational Propositions

1.1 The Inference Proposition

Evaluation authority comes from a justified inference between:

  1. The evidence observed
  2. the construct intended
  3. the claim made
  4. the decision supported

1.2 The Object Proposition

No consequential evaluation is interpretable without a sufficiently precise identity for the evaluated object.

1.3 The Protocol Proposition

The protocol, not the task set alone, is the proper unit of evaluation governance.

1.4 The Condition Proposition

Evaluation conditions are constitutive of the result.

They are not incidental metadata.

1.5 The Portfolio Proposition

No single evaluation method should be expected to answer every material question about capability, risk, safeguards, reliability, or deployment.

1.6 The Proportionality Proposition

Evaluation rigor, independence, security, and evidence burden should increase with the consequence of error.

1.7 The Temporal Proposition

Evaluation results decay as systems, environments, threats, and methods change.

1.8 The Integrity Proposition

Evaluation content should remain protected when exposure would materially weaken measurement or increase harm.

1.9 The Transparency Proposition

Protection of content should not eliminate transparency about governance, purpose, scope, status, and limitations.

1.10 The Elicitation Proposition

An observed failure may reflect a failure to elicit, not a lack of underlying capability.

1.11 The Deployment Proposition

A model-level result should not be assumed to represent every system or deployment built from that model.

1.12 The Risk Proposition

Capability, propensity, access, safeguards, and consequence are distinct elements.

1.13 The Judgment Proposition

Evaluation does not remove judgment.

It disciplines judgment through explicit methods, evidence, uncertainty, and review.

1.14 The Correctability Proposition

A credible evaluation system must support correction, supersession, withdrawal, and retirement.

1.15 The Reflexivity Proposition

The evaluator, protocol, scoring system, threshold, and institution should themselves be evaluated.


2. Scope and Non-Claims

2.1 Objects Covered

This philosophy applies to evaluation of:

2.2 Evaluation Purposes Covered

2.3 Non-Claims

This document does not claim that:

2.4 Domain-Specific Requirements

Specialized evaluation may require additional methods.

Examples:


3. Canonical Evaluation Definitions

Definitions in TERMINOLOGY.md govern.

3.1 Evaluation

A structured process for producing and interpreting evidence about a model, system, method, process, control, organization, or claim.

3.2 Test

A defined procedure used to observe or measure one or more characteristics.

3.3 Benchmark

A standardized set of tasks, procedures, and metrics used for comparison.

3.4 Evaluation Protocol

The complete versioned specification governing purpose, construct, scope, tasks, administration, configuration, elicitation, scoring, analysis, security, reporting, and change control.

3.5 Construct

The underlying concept or attribute an evaluation intends to measure.

3.6 Validity

The degree to which evidence and theory support the intended interpretation and use of evaluation results.

3.7 Reliability

The consistency of measurement across repetitions, tasks, raters, environments, or conditions.

3.8 Generalization

The degree to which findings apply beyond the specific evaluated examples or conditions.

3.9 Elicitation

The process of configuring prompts, tools, examples, scaffolds, resources, or procedures to reveal available capability.

3.10 Evaluation Integrity

The degree to which design, administration, security, scoring, evidence, and reporting preserve the intended meaning of a result.

3.11 Evaluation Awareness

A system's ability to recognize or infer that it is being evaluated.

3.12 Sandbagging

Deliberate or strategically selective underperformance intended to conceal capability.

3.13 Operational Evidence

Evidence arising from use or realistic operation rather than isolated test tasks alone.

3.14 Mechanistic Evidence

Evidence concerning internal representations, processes, circuits, causal mechanisms, or computational structure.

3.15 Decision Linkage

The explicit relationship between an evaluation result and a decision, claim, threshold, or action.

3.16 Evaluation Expiration

The point or trigger after which a result should no longer be treated as current without review.


4. What Evaluation Is For

Evaluation serves several distinct functions.

They should not be collapsed.

4.1 Description

Evaluation can describe observed behavior or performance.

Example:

The system completed 42 percent of tasks under the stated protocol.

4.2 Comparison

Evaluation can compare:

Comparison requires comparability.

4.3 Diagnosis

Evaluation can identify:

4.4 Prediction

Evaluation can estimate future or out-of-sample behavior.

Predictive interpretation requires validation against future or operational outcomes.

4.5 Decision Support

Evaluation can reduce uncertainty for:

4.6 Accountability

Evaluation can allow others to assess whether claims and obligations are justified.

4.7 Learning

Evaluation can improve:

4.8 Early Warning

Evaluation can detect movement toward a consequential capability before a critical threshold is reached.

4.9 Assurance

Evaluation can contribute evidence to an assurance conclusion.

It is not identical to assurance.

4.10 Public Communication

Evaluation can inform the public.

Public communication requires stricter claim discipline because simplified scores are easily overinterpreted.

4.11 Function Declaration

Every evaluation should declare its primary and secondary functions.

A diagnostic test should not be marketed as a certification.

A research benchmark should not be presented as deployment authorization.

A capability screen should not be presented as a complete risk assessment.


5. Evaluation as Measurement, Inquiry, and Institution

Evaluation has three simultaneous identities.

5.1 Evaluation as Measurement

It assigns observations, scores, categories, or judgments to an object according to a method.

5.2 Evaluation as Inquiry

It investigates an uncertain question.

It may generate:

5.3 Evaluation as Institution

It distributes:

A benchmark can shape research priorities.

A threshold can shape deployment.

A certification scheme can shape markets.

A regulator can incorporate an evaluation into law.

The institutional effect can exceed the technical strength of the measurement.

5.4 Institutional Consequence Rule

As the institutional consequence of an evaluation grows, requirements should increase for:


6. The Evaluated Object

6.1 The Object Problem

Frontier AI results are often attached to names that do not uniquely identify the evaluated object.

A name may conceal:

6.2 Object Levels

Model Level

The learned model or checkpoint.

System Level

The model plus prompts, tools, scaffolds, interfaces, safeguards, and infrastructure.

Deployment Level

The system under actual access, user, scale, sector, and governance conditions.

Human-AI Team Level

The combined performance of people and AI systems.

Organizational Level

The institution's processes, controls, and practices.

6.3 Minimum Identity

A consequential evaluation should record:

6.4 Inheritance

Evidence should not be inherited automatically across:

6.5 Material Change

A change is material when it could alter:

6.6 Object Uncertainty

Where exact identity is unavailable, the result should state the uncertainty and narrow the claim.


7. Constructs and the Meaning of Scores

7.1 Construct Definition

A construct should answer:

What underlying attribute is the evaluation intended to measure?

Examples:

7.2 Observable Versus Latent

The construct may not be directly observable.

Evaluation observes:

and infers the construct.

7.3 Construct Underrepresentation

An evaluation underrepresents the construct when it covers too little of the relevant domain.

7.4 Construct-Irrelevant Variance

A result may vary because of irrelevant factors.

Examples:

7.5 Proxy Risk

A proxy can be useful.

It becomes dangerous when treated as the construct itself.

7.6 Construct Drift

The meaning of a construct may change as:

7.7 Score Meaning

A score should identify:

7.8 Ordinal and Cardinal Interpretation

A ranking does not imply equal distance.

A ten-point difference may not have the same meaning across the scale.

7.9 Threshold Interpretation

A threshold is an institutional decision boundary.

It is not necessarily a natural discontinuity in capability or risk.

7.10 Validity Argument

A high-consequence evaluation should maintain an explicit validity argument containing:


8. Validity

Validity is the central philosophical problem of evaluation.

The question is not:

Is this benchmark valid?

The better question is:

For which interpretation and use does this evidence provide sufficient support?

Modern measurement theory treats validity as an integrated evaluative judgment about the degree to which evidence and theory support interpretations of scores for intended uses.[^standards-testing][^messick]

8.1 Content Validity

Does the evaluation adequately represent the relevant domain?

Questions:

8.2 Construct Validity

Does the evaluation measure the intended capability or property?

Evidence may include:

8.3 Criterion Validity

Does the evaluation relate to an external criterion?

Examples:

8.4 Ecological Validity

Do the tasks and conditions resemble relevant operational environments?

Ecological validity is not always required.

A controlled test may isolate an important component.

The claim should reflect the level of realism.

8.5 Internal Validity

Does the design support the claimed comparison or causal conclusion?

8.6 External Validity

Can the result generalize to:

8.7 Consequential Validity

How does the use of the evaluation affect:

The consequences of score use can reveal weaknesses in the evaluation system.

8.8 Validity Is Accumulated

Validity should be supported by an accumulating evidence case.

One correlation, expert endorsement, or leaderboard result is rarely enough for consequential use.

8.9 Validity Is Use-Specific

A short-answer benchmark may be useful for:

It may be invalid for:

8.10 Validity Review Triggers

Review validity after:


9. Reliability, Repeatability, and Robustness

9.1 Reliability

Reliability concerns consistency.

Sources of inconsistency include:

9.2 Test-Retest Reliability

Would repeated evaluation under materially equivalent conditions produce similar results?

9.3 Inter-Rater Reliability

Do qualified judges apply the scoring criteria consistently?

High agreement can coexist with systematic bias.

9.4 Internal Consistency

Do items intended to measure a common construct produce coherent evidence?

High internal consistency does not prove that the construct is correct.

9.5 Cross-Form Reliability

Do alternate task forms support comparable conclusions?

This is important for dynamic and held-out evaluation.

9.6 Inter-Evaluator Reliability

Do different organizations implementing the same protocol produce comparable results?

Differences may arise from:

9.7 Robustness

Robustness asks whether the result remains meaningful under relevant variation.

Variation may include:

9.8 Reliability-Validity Tradeoff

Increasing standardization may increase reliability while reducing realism.

Open-world evaluation may increase realism while increasing measurement noise.

The correct balance depends on the decision.

9.9 Reliability Target

Reliability should be sufficient for the claim.

A research screen may tolerate more noise than a binding threshold.

9.10 Report the Distribution

Repeated-run performance should be reported as a distribution where feasible.

Avoid presenting one favorable run as representative.


10. Generalization

10.1 Task Generalization

Does performance extend beyond the exact task items?

10.2 Domain Generalization

Does performance extend across related professional or technical domains?

10.3 Environment Generalization

Does capability persist under different tools, interfaces, and constraints?

10.4 Temporal Generalization

Does a result remain applicable after time passes or the system changes?

10.5 Language and Cultural Generalization

Does the construct remain valid across language, cultural, and institutional contexts?

10.6 Deployment Generalization

Does controlled performance predict actual use?

Deployment introduces:

10.7 Generalization Evidence

Useful evidence includes:

10.8 No Universal Generalization

A result should state the population and conditions to which it is intended to generalize.


11. Benchmark Versus Evaluation Protocol

11.1 Benchmark Value

Benchmarks can provide:

11.2 Benchmark Limits

Benchmarks may suffer from:

Interdisciplinary reviews of AI benchmarking have documented recurring concerns concerning construct validity, contamination, comparability, reporting, and institutional effects.[^benchmark-review]

11.3 Protocol Completeness

A protocol includes more than a benchmark.

It should specify:

11.4 Benchmark as Component

A benchmark may be one component in a portfolio.

It should not automatically define the entire evaluation conclusion.

11.5 Leaderboard Use

Leaderboards should be limited when:

11.6 Harder Is Not Automatically Better

A harder benchmark may:

Difficulty should serve the construct.

11.7 Public Signal Versus Scientific Instrument

A benchmark can become influential as a public signal even after its scientific value declines.

Institutions should monitor both roles.


12. Public, Held-Out, and Protected Evaluation

12.1 Public Evaluation

Public tasks support:

They also permit:

12.2 Held-Out Evaluation

Held-out evaluation protects content or administration details before testing when exposure would weaken evidence.

12.3 Protected Elements

Protection may apply to:

12.4 Hidden Does Not Mean Valid

A secret task can be:

Protection preserves only the value the instrument already has.

12.5 Fair Notice

Evaluated parties should ordinarily understand:

Fair notice does not require disclosure of exact active items.

12.6 Holdout Governance

A credible held-out system requires:

12.7 Public and Protected Portfolio

A strong program often combines:


13. Dynamic Evaluation

13.1 Why Evaluation Must Change

Static instruments lose meaning as:

13.2 Stable and Dynamic Layers

A dynamic protocol should preserve a stable core:

while allowing controlled changes to:

13.3 Change Triggers

Triggers may include:

13.4 Comparability

Dynamic protocols should use:

13.5 False Continuity

Do not preserve a historical trend line when the meaning of the measurement changed materially.

13.6 Result Expiration

Every consequential result should have:

13.7 Protocol Retirement

A protocol should be retired when:

NIST frames TEVV as a lifecycle activity rather than a one-time endpoint, and its AI RMF Measure function emphasizes documented test sets, metrics, tools, and ongoing assessment.[^nist-rmf][^nist-measure]


14. Elicitation and the Capability Ceiling Problem

14.1 Observed Performance

Observed performance is a function of:

14.2 Capability Ceiling

A capability ceiling estimate asks:

What performance is plausibly available under defined, sufficiently strong elicitation?

It is not a claim about unlimited hypothetical optimization.

14.3 Elicitation Regimes

An evaluation may measure:

Default Performance

Ordinary use without specialized optimization.

Standardized Performance

Performance under a common protocol.

Best-Effort Performance

Performance after documented, bounded optimization.

Deployment Performance

Performance under practical product conditions.

Adversarially Elicited Performance

Performance when evaluators actively seek hidden or difficult-to-obtain capability.

14.4 Elicitation Budget

Record:

14.5 Developer Participation

Developers may improve elicitation by providing:

Developer input should not give the developer unilateral control of the conclusion.

14.6 External Elicitation

Independent evaluators may discover performance not demonstrated internally.

14.7 Under-Elicitation

Under-elicitation creates false negatives.

14.8 Over-Elicitation

An elaborate, task-specific system may demonstrate potential capability that is unavailable to ordinary users.

This can still matter for security or future capability.

The result should state the access and resources required.

14.9 Elicitation as Research

AISI has published a structured approach to capability elicitation experiments, reflecting the need to treat elicitation as a research object rather than an informal prompt-tuning step.[^aisi-elicitation]


15. Tools, Scaffolds, and System-Level Evaluation

15.1 Tool Dependence

Tools may transform capability.

Examples:

15.2 Model and System Scores

Report separately where possible:

15.3 Scaffold Quality

Scaffold performance can depend on:

15.4 Attribution

Do not attribute the full system result to the model alone.

15.5 System Boundaries

The protocol should identify which components are inside the evaluated system.

15.6 Human Assistance

Human assistance may include:

Record frequency and function.

15.7 Practical Capability

Practical capability should account for:


16. Agentic and Long-Horizon Evaluation

16.1 Why Long Horizons Matter

Many consequential tasks require:

Short tasks may miss these properties.

16.2 Task Horizon

Task horizon may be represented by:

METR's time-horizon research estimates the length of tasks that AI agents can complete at specified success probabilities, offering one useful operational lens on long-horizon capability while retaining domain and task-sampling limitations.[^metr-time]

16.3 Long-Horizon Failure Modes

16.4 Trajectory Evidence

Success or failure should be supplemented by trajectory analysis.

16.5 Partial Credit

Long tasks may require decomposition into:

16.6 Reliability Threshold

A 50 percent success probability may be informative for capability tracking.

It may be insufficient for operational use.

16.7 Open-World Evaluation

Open-world evaluations use less standardized, messier, longer, and more realistic tasks.

They can reveal capabilities missed by benchmark-scale testing, but they require strong qualitative judgment and careful small-sample interpretation.[^open-world-evals]

16.8 Environment Maintenance

Long-horizon environments should be:


17. Adversarial Evaluation and Red Teaming

17.1 Adversarial Purpose

Adversarial evaluation attempts to find failure, bypass, or harmful behavior under challenging conditions.

17.2 Red Teaming

Red teaming may involve:

17.3 Strengths

Red teaming can identify:

17.4 Limits

Red teaming generally does not establish:

17.5 Threat-Model Alignment

Adversarial evaluation should identify:

17.6 Adaptive Adversaries

Safeguards should be tested against attackers who respond to defenses.

17.7 Independence

A red team should have sufficient freedom to select attack methods.

17.8 Evidence Preservation

Record:

17.9 Red-Team Claim Discipline

Preferred conclusion:

The exercise identified the following failure pathways under the assessed threat model.

Avoid:

The system passed red teaming and is safe.


18. Evaluation Awareness, Strategic Behavior, and Sandbagging

18.1 Evaluation Awareness

A system may detect cues that distinguish evaluation from deployment.

Cues may include:

18.2 Behavioral Differential

If behavior changes in recognized evaluation contexts, the validity of deployment claims may weaken.

18.3 Sandbagging

Sandbagging is one possible explanation for selective underperformance.

Other explanations include:

18.4 Detection Methods

Possible methods:

18.5 No Easy Proof of Absence

Failure to detect sandbagging does not prove that strategic concealment is impossible.

18.6 Sabotage Evaluation

Anthropic's sabotage-evaluation work includes explicit tests of sandbagging, oversight undermining, and agent behavior in complex environments, illustrating that evaluator deception can itself become an evaluation target.[^anthropic-sabotage]

18.7 Governance Implication

Evaluation-awareness risk should influence:


19. Behavioral, Mechanistic, and Operational Evidence

No single evidence type should dominate every evaluation question.

19.1 Behavioral Evidence

Behavioral evidence concerns observable outputs and actions.

Strengths:

Limits:

19.2 Mechanistic Evidence

Mechanistic evidence concerns internal processes or representations.

Possible methods:

Strengths:

Limits:

19.3 Operational Evidence

Operational evidence arises from realistic or actual use.

Examples:

Strengths:

Limits:

19.4 Organizational Evidence

Organizational evidence concerns:

Documents show intended process.

Operational records show whether the process functions.

19.5 Evidence Triangulation

A high-stakes conclusion should combine evidence types where feasible.

Example:

A cyber-capability claim may use:

19.6 Contradictory Evidence

If behavioral, mechanistic, and operational evidence conflict:

19.7 Evidence Hierarchy Warning

Mechanistic evidence is not automatically deeper truth.

Operational evidence is not automatically representative.

Behavioral evidence is not automatically superficial.

Weight depends on the claim.


20. Human Baselines and Human-AI Uplift

20.1 Why Human Comparison Matters

Human baselines can support:

20.2 Human Reference Group

Define:

20.3 Comparable Conditions

Human and AI comparisons should consider:

20.4 Superhuman Claims

A system should be called superhuman only relative to a defined human group and conditions.

20.5 Human-AI Team Evaluation

Many deployments involve teams rather than replacement.

Evaluate:

20.6 Uplift

Uplift may concern:

20.7 Negative Uplift

AI can reduce human performance through:

METR's study of experienced open-source developers found a gap between perceived and measured productivity in one defined setting, illustrating why human-AI outcomes should be measured rather than inferred from user belief alone.[^metr-developer-study]

20.8 Distribution of Uplift

Uplift may differ by:

Average uplift can hide harm to a subgroup.


21. Capability, Propensity, Risk, and Safeguards

21.1 Capability

Capability concerns what the system can do under defined conditions.

21.2 Propensity

Propensity concerns the likelihood that the system will display or pursue a behavior under relevant conditions.

21.3 Access

Access concerns who can use the capability and with what permissions.

21.4 Exposure

Exposure concerns which people, institutions, or systems are subject to the hazard.

21.5 Safeguards

Safeguards modify practical risk.

21.6 Consequence

Consequence concerns the magnitude and distribution of harm.

21.7 Risk Model

A useful risk evaluation should distinguish at least:

21.8 Pre-Mitigation and Post-Mitigation Assessment

A system may have:

Report each component.

21.9 Safeguard Evaluation

Safeguard evidence should include:

21.10 No Capability Threshold as Automatic Risk Conclusion

A capability threshold may trigger a risk-management process.

It should not substitute for that process.

Frontier safety frameworks used by developers increasingly connect capability levels to additional evaluations and safeguards, but these frameworks remain institution-specific and should not be treated as universal proof of risk or safety.[^openai-pf][^deepmind-fsf]


22. Thresholds

22.1 Purpose of Thresholds

Thresholds can trigger:

22.2 Threshold Types

Measurement Threshold

A score boundary.

Evidence Threshold

A required level of support.

Alert Threshold

An early-warning point.

Critical Capability Threshold

A capability level associated with severe-risk concern.

Operational Threshold

A deployment or control trigger.

Legal Threshold

A boundary defined by law or regulation.

22.3 Threshold Inputs

A threshold should consider:

22.4 Threshold Precision

Avoid false precision.

A threshold may be represented as:

22.5 Threshold Crossing

A crossing should trigger:

22.6 Near-Threshold Results

Near-threshold results require caution because measurement noise can change classification.

22.7 Threshold Revision

Thresholds should be versioned and reviewed after:

22.8 Threshold Governance

Record:


23. Decision Linkage

23.1 Evaluation Without Decision

Some research evaluations are exploratory.

They should still state likely and invalid uses.

23.2 Decision Record

For consequential evaluation, identify:

23.3 Decision Relevance

A statistically significant difference may be irrelevant to the decision.

A small qualitative finding may be decisive if it reveals a severe failure pathway.

23.4 False Positives

A false positive may:

23.5 False Negatives

A false negative may:

23.6 Reversible Decisions

Under high uncertainty, prefer decisions that preserve learning and correction where possible.

23.7 Technical and Normative Judgment

Evaluation can estimate:

It cannot independently decide:


24. Uncertainty

24.1 Uncertainty Is an Output

An evaluation should produce an uncertainty account, not only a point estimate.

24.2 Sources of Uncertainty

24.3 Quantitative Uncertainty

Use when supported:

24.4 Qualitative Uncertainty

Use structured language when quantification would mislead.

24.5 Epistemic and Aleatoric Uncertainty

Distinguish uncertainty due to:

when useful.

24.6 Uncertainty Communication

State:

24.7 Unknown Unknowns

Diverse review, stress testing, incident monitoring, and humility help address unknown failure modes.

They do not eliminate them.

24.8 Uncertainty and Public Claims

Public summaries should not remove uncertainty merely for simplicity.


25. Scoring, Aggregation, and Interpretation

25.1 Scoring Rules

A scoring rule should be:

25.2 Exact Scoring

Exact match is efficient but may penalize equivalent answers or reward superficial form.

25.3 Human Scoring

Human judges offer nuance but introduce:

25.4 Model-Based Scoring

Model judges offer scale.

They require validation for:

25.5 Environment-Based Scoring

Objective environment outcomes can improve directness.

They may still encode narrow success definitions.

25.6 Partial Credit

Partial credit can reveal capability structure.

It can also introduce judgment complexity.

25.7 Aggregate Scores

Aggregation can support communication.

It can hide:

25.8 Weighting

Weights should be justified by:

25.9 Noncompensatory Criteria

Some critical failures should not be offset by strengths elsewhere.

25.10 Score Uncertainty

Report uncertainty around:

25.11 Score Comparability

Do not compare scores when:


26. Fairness, Accessibility, and Localization

26.1 Fairness of Evaluation

An evaluation may be unfair if irrelevant barriers alter results.

Examples:

26.2 Fairness Is Not Easiness

Removing irrelevant barriers does not require lowering the construct standard.

26.3 Evaluated-Party Fairness

For high-consequence evaluation, provide:

26.4 Affected-Party Fairness

Evaluation should also consider people affected by system use.

A process can be fair to a developer while ignoring public harm.

26.5 Localization

Localization may require:

26.6 Translation Validity

Literal translation may change:

26.7 Resource Inequality

Evaluation requirements can privilege actors with:

26.8 Functional Access Pathways

Standards should support:


27. Domain Expertise

27.1 Why Domain Expertise Matters

Frontier evaluation increasingly reaches areas where plausible-looking tasks can be technically wrong.

Domain experts support:

27.2 Evaluation Expertise Is Also Distinct

A domain expert may lack:

A strong team combines expertise.

27.3 Expert Disagreement

Disagreement may concern:

Preserve material dissent.

27.4 Expert Scarcity

High-quality evaluation can depend on scarce expert labor.

This affects:

27.5 Expert Calibration

Where experts estimate probabilities or levels, use structured judgment and calibration where feasible.


28. Evaluator Role and Institutional Context

28.1 Evaluator Choice Shapes the Result

Evaluators choose:

28.2 First-Party Evaluation

Strengths:

Limits:

28.3 Third-Party Evaluation

Strengths:

Limits:

28.4 Independent Review

Independence requires more than organizational separation.

Apply FOUNDATION_04_INDEPENDENT_EXPERT_REVIEW.md.

28.5 Evaluator Competence

Competence should be scoped by:

28.6 Evaluation Markets

Commercial incentives can produce:

28.7 Public Evaluators

Government or public evaluators may have:

They may also face:

28.8 Community Evaluation

Community evaluation can reveal:

It requires provenance, ethics, and security.

28.9 Institutional Diversity

A plural evaluation ecosystem reduces dependence on one institution's assumptions.


29. Timing, Lifecycle, and Continuous Evaluation

29.1 Pre-Training

Evaluation may examine:

29.2 During Training

Evaluation may track:

29.3 Post-Training

Evaluation may assess the candidate model and system.

29.4 Pre-Deployment

Evaluation should connect capability, safeguards, access, and deployment.

29.5 Post-Deployment

Monitor:

29.6 Continuous Evaluation

Continuous evaluation may combine:

OpenAI's Preparedness Framework emphasizes scalable recurring evaluation complemented by expert-led deeper assessment, illustrating one institutional response to faster model-update cadence.[^openai-pf-update]

29.7 Triggered Re-Evaluation

Triggers include:

29.8 Expiration

Results should display:

29.9 Legacy Systems

Older systems may remain deployed after the evaluation framework changes.

Create:


30. Evaluation Claims and Reporting

30.1 Claim Structure

A result claim should identify:

30.2 Capability Language

Preferred:

Demonstrated the defined capability under the assessed conditions.

Avoid:

Possesses the capability in all contexts.

30.3 Negative Language

Preferred:

Did not demonstrate the capability under the assessed conditions.

Avoid:

Cannot perform the task.

30.4 Safety Language

Preferred:

Met the specified safeguard criteria under the assessed threat model.

Avoid:

Certified safe.

30.5 Comparison Language

State whether differences are:

30.6 Public Summary

A public summary should preserve:

30.7 Result Profile

Report multidimensional profiles rather than one score where consequence is high.

30.8 Correction

A result should be corrected or withdrawn after:


31. The Limits of Evaluation

Evaluation is powerful because it makes claims testable.

Evaluation is dangerous when it creates an illusion that every important question has been resolved.

31.1 Evaluation Cannot Prove Universal Safety

A result is bounded by:

31.2 Evaluation Cannot Exhaust the Behavior Space

Frontier systems may face:

31.3 Evaluation Cannot Prove Absence Easily

Failure to observe a behavior can reflect:

31.4 Evaluation Cannot Eliminate Distribution Shift

Deployment can differ from evaluation in:

31.5 Evaluation Cannot Resolve Every Normative Question

Measurement cannot determine by itself:

31.6 Evaluation Cannot Replace Security Engineering

Testing may reveal vulnerabilities.

Security also requires:

31.7 Evaluation Cannot Replace Governance

Evidence needs institutions to:

31.8 Evaluation Cannot Guarantee Future Behavior

Models and systems change.

Users adapt.

Attackers learn.

31.9 Evaluation Cannot Guarantee Evaluator Integrity

The evaluator may be:

31.10 Evaluation Cannot Make a Weak Construct Strong Through Scale

Millions of task results do not solve a wrong measurement target.

31.11 Evaluation Cannot Convert Secrecy Into Credibility

Confidential evidence needs independent governance.

31.12 Evaluation Cannot Convert Precision Into Truth

A result with three decimal places may still be conceptually weak.

31.13 Evaluation Cannot Eliminate Surprise

A credible system plans for incidents and revision.


32. Evaluation Portfolios

32.1 Why Portfolios Are Necessary

Different methods reveal different properties.

A portfolio reduces dependence on one instrument.

32.2 Portfolio Components

Public Benchmarks

Useful for:

Held-Out Evaluations

Useful for:

Dynamic Protocols

Useful for:

Adversarial Tests

Useful for:

Open-World Evaluations

Useful for:

Mechanistic Analysis

Useful for:

Human-Uplift Studies

Useful for:

Operational Monitoring

Useful for:

Independent Review

Useful for:

32.3 Portfolio Design

A portfolio should be designed against:

32.4 Portfolio Redundancy

Overlapping methods can provide corroboration.

32.5 Portfolio Diversity

Methods should fail differently.

Several benchmarks using the same task format may not provide real diversity.

32.6 Portfolio Weighting

Weight methods by:

32.7 Portfolio Conflict

Conflicting results should remain visible.

32.8 Portfolio Maintenance

Add, revise, or remove components after:


33. Evaluation of Safeguards

33.1 Safeguards Are Conditional

Safeguards work against defined threats and contexts.

33.2 Safeguard Evaluation Questions

33.3 Layered Safeguards

Evaluate:

33.4 Defense in Depth

Do not assume independent protection where controls share:

33.5 Safeguard Bypass

Record:

33.6 Operational Burden

Safeguards can create:

33.7 Safeguard Decay

Controls may weaken as:

33.8 Safeguard Claims

A safeguard result should never be generalized beyond the assessed threat model without additional evidence.


34. Evaluation of Organizations and Institutions

34.1 Policy Is Not Practice

Written policy is evidence of formal intention.

It is not sufficient evidence of effective implementation.

34.2 Organizational Evaluation Objects

34.3 Process and Outcome

Evaluate both:

Process

Was the required procedure followed?

Outcome

Did the process improve the relevant result?

34.4 Institutional Performance

Possible indicators:

34.5 Assurance Limits

An audit or certification may establish conformity with criteria.

It does not establish that every organizational outcome is effective.

34.6 Institutional Gaming

Organizations may optimize:

without improving the underlying objective.

34.7 Unannounced and Continuous Evidence

Where appropriate, institutional evaluation may include:

34.8 Institutional Context

The same requirement may produce different outcomes under different:


35. Meta-Evaluation

Meta-evaluation is evaluation of evaluation.

35.1 Objects of Meta-Evaluation

35.2 Meta-Evaluation Questions

35.3 Protocol Performance Metrics

Possible metrics:

35.4 Judge Evaluation

A judge should be evaluated for:

35.5 Evaluator Evaluation

An evaluator should be evaluated for:

35.6 Evaluation-System Outcomes

The final question is not only:

Did the evaluation run correctly?

It is also:

Did the evaluation system improve decisions and reduce error?


36. Evaluation Maturity Model

Level 0: Score-Centered

Characteristics:

Level 1: Protocol-Defined

Characteristics:

Level 2: Validity-Aware

Characteristics:

Level 3: Integrity-Protected and Independently Challenged

Characteristics:

Level 4: Decision-Grade Portfolio

Characteristics:

Level 5: Adaptive Evaluation Institution

Characteristics:

Maturity Rule

A large number of benchmarks does not establish mature evaluation.

Maturity depends on the quality of inference, governance, integrity, and use.


37. Evaluation Design Lifecycle

37.1 Define the Decision

Identify:

37.2 Define the Claim

State the exact proposition.

37.3 Identify the Object

Create the model or system manifest.

37.4 Define the Construct

Describe:

37.5 Select Evidence

Choose a portfolio appropriate to the claim.

37.6 Design Tasks

Define:

37.7 Define Elicitation

Set:

37.8 Validate the Method

Use:

37.9 Govern Integrity

Apply:

37.10 Execute

Preserve:

37.11 Score and Analyze

Report:

37.12 Review

Use qualified and independent challenge.

37.13 Interpret

Connect the result to:

37.14 Publish or Restrict

Apply appropriate transparency and security.

37.15 Monitor

Track:

37.16 Correct or Retire

Change status visibly.


38. Evaluation Design Template

Evaluation ID:
Title:
Version:
Owner:
Date:
Status:

1. Decision and Intended Use

2. Claim

3. Evaluated Object

4. Construct

5. Scope and Invalid Interpretations

6. Evidence Portfolio

7. Task Universe and Sampling

8. Public and Held-Out Components

9. Environment

10. Elicitation and Resource Budget

11. Tools and Scaffolds

12. Human Baseline or Uplift Design

13. Scoring

14. Reliability

15. Validity Evidence

16. Uncertainty

17. Adversarial and Awareness Testing

18. Safeguard Evaluation

19. Security and Integrity

20. Evaluator and Reviewer

21. Thresholds and Decision Rules

22. Reporting

23. Expiration and Re-Evaluation

24. Corrections and Appeals


39. Validity Argument Template

Evaluation:
Protocol version:
Claim:
Intended use:

Construct

Observed Evidence

Scoring Inference

How are observations converted into scores or findings?

Generalization Inference

Why should the task sample represent the relevant domain?

Extrapolation Inference

Why should controlled results apply to the intended setting?

Decision Inference

Why is the result relevant to the decision?

Supporting Evidence

Contrary Evidence

Assumptions

Alternative Explanations

Uncertainty

Invalid Uses

Review and Confidence


40. Evaluation Result Profile Template

Result ID:
System ID and version:
Protocol ID and version:
Evaluator:
Date:
Lifecycle stage:

Claim Assessed

Evaluation Conditions

Elicitation

Tools and Scaffolds

Task Sample

Result

Reliability

Uncertainty

Integrity Status

Evidence Level

Confidence

Safeguard Context

Reviewer Findings

Limitations

Valid Through

Re-Evaluation Triggers

Status


41. Evaluation Portfolio Template

Decision:
Consequence level:
Portfolio owner:

Component Purpose Strength Limitation Independence Integrity Status
Public benchmark
Held-out test
Dynamic task suite
Adversarial evaluation
Open-world evaluation
Mechanistic evidence
Human-uplift study
Operational monitoring
Independent review

Portfolio Conclusion

Conflicting Evidence

Remaining Gaps

Decision Implication

Expiration


42. Evaluation Philosophy Scorecard

Dimension Core question
Decision Is the intended use explicit?
Claim Is the claim bounded?
Object Is the exact model, system, deployment, or institution identified?
Construct Is the intended property defined?
Content validity Does the task sample represent the domain?
Construct validity Does evidence support the intended interpretation?
Criterion validity Is the result linked to an external outcome where needed?
Reliability Is measurement sufficiently consistent?
Generalization Is extrapolation beyond the sample justified?
Protocol Is the complete method versioned?
Integrity Is contamination and gaming controlled?
Elicitation Are capability-relevant conditions documented?
System boundary Are tools, scaffolds, humans, and safeguards included correctly?
Long horizon Are multi-step and reliability effects addressed where relevant?
Adversarial testing Were realistic failure-seeking methods used?
Evaluation awareness Was context-sensitive behavior considered?
Evidence portfolio Are complementary methods combined?
Human baseline Is the comparison population defined?
Capability-risk separation Are capability, propensity, access, safeguards, and consequence distinct?
Thresholds Are thresholds evidence-based and governed?
Scoring Is scoring valid, reviewable, and uncertainty-aware?
Aggregation Are critical failures hidden by averages?
Fairness Are irrelevant barriers and affected-party concerns addressed?
Expertise Are domain and evaluation competencies present?
Independence Is evaluator independence sufficient?
Timing Is lifecycle stage and recency clear?
Expiration Are re-evaluation triggers defined?
Reporting Does the claim remain within evidence?
Limits Are invalid interpretations explicit?
Correction Can the result be corrected, suspended, or withdrawn?
Meta-evaluation Will the evaluation itself be tested?

42.1 Critical Failures

The following normally prevent a consequential evaluation from supporting a decision-grade conclusion:

42.2 No Universal Evaluation Score

Do not average the scorecard into one master rating.

A critical validity failure cannot be offset by strong documentation elsewhere.


43. Consolidated Evaluation Failure Modes

43.1 Leaderboard Reduction

Failure:

Evaluation becomes synonymous with rank.

Effect:

Control:

Use multidimensional profiles, protocol disclosure, and claim limits.

43.2 Construct Substitution

Failure:

An easy-to-measure proxy replaces the intended construct.

Control:

Maintain a validity argument and criterion evidence.

43.3 Model-System Collapse

Failure:

A model result is presented as a system or deployment result.

Control:

Use exact object identity and system manifests.

43.4 Public-Benchmark Dependence

Failure:

Known tasks become the sole evidence for current capability.

Control:

Combine public, held-out, dynamic, and operational methods.

43.5 Hidden-Test Mystique

Failure:

Confidentiality is mistaken for scientific quality.

Control:

Review construct, task quality, scoring, governance, and public limitations.

43.6 Under-Elicitation

Failure:

Weak prompting or integration produces a false negative.

Control:

Specify an elicitation budget and use qualified best-effort methods.

43.7 Artificial Over-Elicitation

Failure:

Highly task-specific engineering is presented as ordinary practical capability.

Control:

Report default, standardized, best-effort, and deployment regimes separately.

43.8 Single-Run Reporting

Failure:

One favorable or unfavorable stochastic outcome is treated as representative.

Control:

Use repeated runs and distributions.

43.9 Composite-Score Masking

Failure:

Averages conceal catastrophic failures or domain weakness.

Control:

Use decomposable and noncompensatory criteria.

43.10 Judge Circularity

Failure:

A closely related model judges outputs and reproduces shared biases.

Control:

Validate against independent human or environment-based outcomes.

43.11 Benchmark Saturation

Failure:

High scores compress differences and weaken discrimination.

Control:

Renew tasks, redesign the construct, or retire the instrument.

43.12 Contamination

Failure:

Evaluation content enters training or preparation.

Control:

Use provenance, holdouts, rotation, compromise status, and re-evaluation.

43.13 Evaluation Awareness

Failure:

The system behaves differently because it recognizes the test.

Control:

Vary contexts, use deployment-like settings, and narrow claims.

43.14 Sandbagging Overclaim

Failure:

Any poor result is labeled strategic concealment.

Control:

Test alternative explanations and require evidence.

43.15 Red-Team Pass Claim

Failure:

No discovered bypass is presented as proof of safety.

Control:

Report the tested threat model and search effort.

43.16 Human-Baseline Distortion

Failure:

Humans and systems receive different tools, time, incentives, or scoring.

Control:

Define comparable conditions and remaining asymmetry.

43.17 Operational Romanticism

Failure:

Real-world evidence is treated as automatically superior.

Control:

Address confounding, selection, logging, privacy, and changing systems.

43.18 Mechanistic Overreach

Failure:

An internal feature is treated as definitive proof of future behavior.

Control:

Triangulate with behavior and causal interventions.

43.19 Threshold Theater

Failure:

A precise boundary lacks a valid construct or consequence model.

Control:

Use uncertainty, evidence cases, review, and triggers.

43.20 Evaluation Capture

Failure:

The developer, client, evaluator, or regulator controls questions and conclusions.

Control:

Use independent governance, conflict disclosure, and publication rights.

43.21 Stale Evidence

Failure:

Old results remain attached to changed systems.

Control:

Use expiration, status, and event-triggered review.

43.22 Compliance Substitution

Failure:

Passing a process test replaces evidence of effective outcomes.

Control:

Evaluate both process and performance.

43.23 Safety-Washing

Failure:

A narrow test is used to market broad safety.

Control:

Apply controlled public-claim vocabulary and independent review.

43.24 Institutional Monoculture

Failure:

One evaluator or framework becomes the sole source of legitimacy.

Control:

Support plural evaluators, crosswalks, replication, and appeals.

43.25 Evaluation Burden Failure

Failure:

Requirements become so costly that only dominant actors can comply.

Control:

Use proportionality, shared infrastructure, and functional access pathways.


44. Serious Objections and Responses

Objection 1: Evaluation cannot keep pace with frontier development

This objection is partly correct.

Static evaluation cannot keep pace.

The response is not to abandon evaluation.

It is to use:

Evaluation may still lag.

The lag should be measured and disclosed.

Objection 2: Any published evaluation will be gamed

Public instruments can be optimized against.

They still support:

A portfolio with protected and dynamic components reduces dependence on public tasks.

Objection 3: Held-out evaluations are unaccountable

They can be unaccountable.

They need not be.

Accountability can operate through:

Objection 4: Evaluation results are too context-dependent to standardize

Context dependence is real.

Standardization should focus on:

rather than forcing one universal task set.

Objection 5: Model capability is changing too quickly for thresholds

Thresholds may become stale.

They can still serve as provisional process triggers if they are:

Objection 6: Independent evaluators cannot obtain sufficient access

Access is a major constraint.

Responses include:

Objection 7: Evaluation creates dangerous information

Some evaluation work can increase risk.

The response is graded publication, safe proxies, secure review, and deliberate disclosure governance.

Objection 8: Evaluation becomes regulation by another name

Evaluation can exercise de facto power.

This is why technical evidence, standards, certification, procurement, and legal authority must remain distinct.

Objection 9: Expert judgment is too subjective

Expert judgment can be biased.

Automated metrics also encode judgment.

Structured expert methods, conflict controls, dissent, and calibration improve accountability.

Objection 10: Real-world deployment is the only meaningful test

Deployment evidence is essential.

Uncontrolled deployment cannot ethically or efficiently answer every high-stakes question.

Controlled and proxy methods remain necessary.

Objection 11: Mechanistic understanding should replace behavioral testing

Mechanistic evidence is promising but incomplete.

Behavior, mechanism, operations, and institutions answer different questions.

Objection 12: Evaluation will always be captured by powerful laboratories

Capture is a serious structural risk.

Countermeasures include:

No governance model eliminates capture risk.


45. Evaluation Research Agenda

45.1 Construct Science

Research:

45.2 Protocol Validity

Research:

45.3 Dynamic Evaluation

Research:

45.4 Contamination and Integrity

Research:

45.5 Elicitation

Research:

45.6 Agentic Evaluation

Research:

45.7 Evaluation Awareness

Research:

45.8 Model-Based Judges

Research:

45.9 Mechanistic Evidence

Research:

45.10 Human-AI Teams

Research:

45.11 Safeguard Evaluation

Research:

45.12 Evaluation Institutions

Research:

45.13 Public Understanding

Research how audiences interpret:

45.14 International Evaluation

Research:

45.15 Meta-Evaluation

Research whether evaluation changes:


46. Near-Term Standards Body Evaluation Program

46.1 Protocol Anatomy Standard

Develop a common minimum structure for evaluation protocols.

46.2 System Identity Schema

Develop a machine-readable system manifest.

46.3 Result Profile

Develop a result schema carrying:

46.4 Validity Argument Pilot

Apply the validity template to three existing frontier evaluations.

46.5 Elicitation Disclosure Standard

Define minimum reporting for tools, prompts, retries, fine-tuning, and human effort.

46.6 Held-Out Integrity Profile

Define security and governance metadata for protected evaluation.

46.7 Human Baseline Standard

Develop requirements for comparable human reference groups.

46.8 Judge Validation Pilot

Compare model judges, human judges, and environment-based scoring.

46.9 Long-Horizon Evaluation Pilot

Evaluate an agent on bounded, realistic, multi-hour tasks.

46.10 Evaluation Expiration Registry

Track current, expired, superseded, and compromised results.

46.11 Public-Claims Audit

Review model and system evaluation claims for scope and validity.

46.12 Meta-Evaluation Pilot

Test whether one evaluation result actually predicted a later operational outcome.


47. Canonical Standards Body Evaluation Positions

Standards Body adopts the following working positions.

  1. Evaluation is structured evidence for bounded claims and decisions under uncertainty.

  2. A score is not an evaluation by itself.

  3. A benchmark is a component, not the complete protocol.

  4. The protocol is the proper unit of evaluation governance.

  5. The exact evaluated object should be identified.

  6. Model, system, deployment, and human-AI team results are distinct.

  7. Evaluation conditions are part of the result.

  8. Tools, scaffolds, retrieval, memory, and human assistance should be reported.

  9. Validity concerns the intended interpretation and use.

  10. Reliability is necessary for many uses but does not establish validity.

  11. A measure can be reliable and wrong.

  12. A harder benchmark is not automatically a better benchmark.

  13. Public benchmarks remain useful but should not be the sole basis of consequential claims.

  14. Held-out evaluation can protect integrity but does not guarantee validity.

  15. Protected content and transparent governance should coexist.

  16. Dynamic protocols are necessary for changing frontier systems.

  17. Historical comparison should be abandoned when continuity cannot be defended.

  18. Consequential results should expire.

  19. Failure to demonstrate capability is not proof of incapability.

  20. Elicitation quality should be treated as a first-order methodological issue.

  21. Best-effort capability and practical deployment capability should be distinguished.

  22. Base-model capability and system capability should be distinguished.

  23. Long-horizon evaluation should examine trajectories, recovery, and reliability.

  24. A 50 percent task-success horizon is not an operational reliability standard.

  25. Red teaming is failure-seeking evidence, not proof of absence after no finding.

  26. Evaluation awareness can weaken the validity of deployment claims.

  27. Sandbagging should be tested rather than presumed.

  28. Behavioral, mechanistic, operational, and organizational evidence are complementary.

  29. Mechanistic evidence should not automatically override observed behavior.

  30. Operational evidence should not automatically be treated as representative.

  31. Human baselines should define population, tools, time, and incentives.

  32. Human-AI uplift should be measured rather than assumed.

  33. Capability and risk are distinct.

  34. Capability thresholds should trigger processes, not replace risk analysis.

  35. Safeguards should be evaluated against explicit threat models.

  36. Safeguard success does not prove universal safety.

  37. Thresholds should be uncertainty-aware, governed, and revisable.

  38. Evaluation cannot determine acceptable risk by itself.

  39. Technical findings and normative decisions should remain distinguishable.

  40. Consequential evaluation should use an evidence portfolio.

  41. Methods in a portfolio should fail differently.

  42. Aggregate scores should not conceal critical failures.

  43. Model-based judges require validation and version control.

  44. Fair evaluation includes both evaluated-party procedure and affected-party consequence.

  45. Domain expertise and evaluation expertise are distinct and jointly necessary.

  46. First-party evidence is valuable but insufficient for the most consequential claims.

  47. External does not automatically mean independent.

  48. Evaluator competence should be scope-specific.

  49. Evaluation should occur across the lifecycle, not only before release.

  50. Evaluation systems, evaluators, thresholds, and standards should themselves be evaluated.


48. Relationship to Canonical Files

PROJECT_IDENTITY.md

Defines the project's present role and prevents evaluation outputs from implying unsupported authority.

TERMINOLOGY.md

Defines the controlled meaning of evaluation, test, benchmark, capability, risk, safety, audit, certification, and accreditation.

FOUNDATIONS.md

Provides the overview of the eight-foundation evaluation infrastructure.

FOUNDATIONS_APPENDIX.md

Connects this philosophy to the complete institutional lifecycle.

EVIDENCE_STANDARDS.md

Defines evidence quality, evidence levels, confidence, sourcing, and claim limits.

RESEARCH_METHODOLOGY.md

Defines how evaluation research should be planned, executed, reviewed, and corrected.

TAXONOMY.md

Classifies evaluation objects, methods, evidence, actors, risks, safeguards, and statuses.

Foundation 1

Operationalizes dynamic and versioned evaluation protocols.

Foundation 2

Operationalizes held-out evaluation integrity and protected evidence.

Foundation 3

Operationalizes high-stakes capability evaluation and decision-linked rigor.

Foundation 4

Operationalizes independent expert review.

Foundation 5

Operationalizes third-party evaluator and assurance ecosystems.

Foundation 6

Connects mature evaluation practices to progressive standards and requirements.

Foundation 7

Examines incentives created by scores, rankings, thresholds, and recognition.

Foundation 8

Makes evaluation evidence interpretable across institutions and jurisdictions.


49. Final Evaluation Position

Evaluation is one of the central institutions through which societies will understand frontier AI.

That gives evaluation unusual power.

It can determine:

That power makes shallow evaluation dangerous.

A leaderboard can shape investment before its construct is validated.

A hidden test can shape deployment before its governance is legitimate.

A threshold can shape law before its uncertainty is understood.

A certificate can shape public trust before its scope is read.

A model can pass a test while failing in deployment.

A model can fail a test because the evaluator did not know how to elicit it.

An institution can perform every required process while missing the real hazard.

The response is not to reject evaluation.

It is to treat evaluation as a disciplined institutional practice.

A credible evaluation should make clear:

Evaluation should narrow uncertainty without pretending to abolish it.

It should support judgment without hiding judgment.

It should create comparability without manufacturing sameness.

It should support accountability without becoming theater.

It should protect evidence without becoming unreviewable.

It should evolve without rewriting history.

The defining philosophy of Standards Body is:

Evaluation is not proof of safety. It is structured, reviewable, and revisable evidence for bounded decisions under uncertainty.


References and Research Basis

[^standards-testing]: American Educational Research Association, American Psychological Association, and National Council on Measurement in Education, Standards for Educational and Psychological Testing, 2014. https://www.testingstandards.net/

[^messick]: Samuel Messick, Validity, in Educational Measurement, 3rd edition, 1989.

[^benchmark-review]: Anna-Katharina Reuel and collaborators, Can We Trust AI Benchmarks? An Interdisciplinary Review of Current Issues in AI Evaluation, 2025. https://arxiv.org/abs/2502.06559

[^nist-rmf]: National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1, 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf

[^nist-measure]: National Institute of Standards and Technology, AI RMF Playbook, Measure Function, NIST AI Resource Center. https://airc.nist.gov/airmf-resources/playbook/measure/

[^nist-tevv]: National Institute of Standards and Technology, AI Test, Evaluation, Validation and Verification. https://www.nist.gov/ai-test-evaluation-validation-and-verification-tevv

[^aisi-elicitation]: UK AI Security Institute, A Structured Protocol for Elicitation Experiments, July 16, 2025. https://www.aisi.gov.uk/blog/our-approach-to-ai-capability-elicitation

[^aisi-qa]: UK AI Security Institute, Early Insights from Developing Question-Answer Evaluations for Frontier AI, September 23, 2024. https://www.aisi.gov.uk/blog/early-insights-from-developing-question-answer-evaluations-for-frontier-ai

[^aisi-agenda]: UK AI Security Institute, Research Agenda, including the Science of Evaluations research area. https://www.aisi.gov.uk/research-agenda

[^openai-pf]: OpenAI, Preparedness Framework, Version 2, April 15, 2025. https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf

[^openai-pf-update]: OpenAI, Our Updated Preparedness Framework, April 15, 2025. https://openai.com/index/updating-our-preparedness-framework/

[^openai-external]: OpenAI, Strengthening Our Safety Ecosystem with External Testing, November 19, 2025. https://openai.com/index/strengthening-safety-with-external-testing/

[^deepmind-fsf]: Google DeepMind, Strengthening Our Frontier Safety Framework, updated through Framework 3.1 in April 2026. https://deepmind.google/blog/strengthening-our-frontier-safety-framework/

[^anthropic-sabotage]: Anthropic, Sabotage Evaluations for Frontier Models, 2024. https://www.anthropic.com/research/sabotage-evaluations

[^anthropic-shade]: Anthropic, Evaluating Sabotage and Monitoring in LLM Agents, 2025. https://www-cdn.anthropic.com/f4a31075d4763a01db68760733bb7b059e528781.pdf

[^metr-time]: METR, Task-Completion Time Horizons of Frontier AI Models, current methodology and results through 2026. https://metr.org/time-horizons/

[^metr-developer-study]: METR, Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity, July 10, 2025. https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/

[^open-world-evals]: Beth Barnes and collaborators, Open-World Evaluations for Measuring Frontier AI Capabilities, 2026. https://arxiv.org/abs/2605.20520

[^inspect]: UK AI Security Institute, Inspect AI, an open-source framework for large language model evaluations. https://inspect.aisi.org.uk/

[^jcgm-vim]: Joint Committee for Guides in Metrology, International Vocabulary of Metrology, Basic and General Concepts and Associated Terms, JCGM 200. https://www.bipm.org/en/committees/jc/jcgm/publications

[^jcgm-gum]: Joint Committee for Guides in Metrology, Evaluation of Measurement Data, Guide to the Expression of Uncertainty in Measurement, JCGM 100. https://www.bipm.org/documents/20126/2071204/JCGM_100_2008_E.pdf


Revision Record

Version 1.0

Date: July 16, 2026

Change type: Complete foundational edition

Summary: Establishes the canonical Standards Body evaluation philosophy. Defines the purpose and limits of evaluation, evaluated-object identity, construct and validity theory, reliability, generalization, benchmarks, held-out and dynamic evaluation, elicitation, tools and scaffolds, long-horizon agents, adversarial evaluation, evaluation awareness and sandbagging, behavioral, mechanistic and operational evidence, human baselines, capability and risk, safeguards, thresholds, decision linkage, uncertainty, scoring, fairness, expertise, evaluator institutions, lifecycle evaluation, public claims, evaluation limits, portfolios, meta-evaluation, maturity, design lifecycle, templates, scorecard, failure modes, objections, research agenda, near-term program, canonical positions, and research basis.

Status: Approved foundational source.