Google DeepMind

Category
Google DeepMind
Best in Class
1. Risk Identification
27%
62%
  • 1. Classification of Applicable Known Risks (40%)
    50%
    90%
    • 1. Risks from literature and taxonomies are well covered (50%)
      75%
      90%
    • 2. Exclusions are clearly justified and documented (50%)
      25%
      90%
  • 2. Identification of Unknown Risks (Open-ended red teaming) (20%)
    7%
    43%
    • 1. Internal open-ended red teaming (70%)
      10%
      50%
    • 2. Third party open-ended red teaming (30%)
      0%
      25%
  • 3. Risk modeling (40%)
    13%
    52%
    • 1. The company uses risk models for all the risk domains identified
and the risk models are published (with potentially dangerous
information redacted) (40%)
      25%
      75%
    • 2. Risk modeling methodology (40%)
      9%
      43%
      • 1. Methodology precisely defined (70%)
        10%
        50%
      • 2. Mechanism to incorporate red teaming findings (15%)
        0%
        25%
      • 3. Prioritization of severe and probable risks (15%)
        10%
        75%
    • 3. Third party validation of risk models (20%)
      0%
      50%
2. Risk Analysis and Evaluation
21%
36%
  • 1. Setting a Risk Tolerance (35%)
    5%
    22%
    • 1. Risk tolerance is defined (80%)
      3%
      28%
      • 1. Risk tolerance is at least qualitatively defined for all risks (33%)
        10%
        75%
      • 2. Risk tolerance is expressed at least partly quantitatively as a combination of scenarios (qualitative) and probabilities (quantitative) for all risks (33%)
        0%
        10%
      • 3. Risk tolerance is expressed fully quantitatively as a product of severity (quantitative) and probability (quantitative) for all risks (33%)
        0%
        0%
    • 2. Process to define the tolerance (20%)
      10%
      10%
      • 1. AI developers engage in public consultations or seek guidance from regulators where available (50%)
        10%
        10%
      • 2. Any significant deviations from risk tolerance norms established in other industries is justified and documented (e.g., cost-benefit analyses) (50%)
        10%
        10%
  • 2. Operationalizing Risk Tolerance (65%)
    30%
    44%
    • 1. Key Risk Indicators (KRI) (30%)
      41%
      59%
      • 1. KRI thresholds are at least qualitatively defined for all risks (45%)
        75%
        75%
      • 2. KRI thresholds are quantitatively defined for all risks (45%)
        10%
        50%
      • 3. KRIs also identify and monitor changes in the level of risk in the external environment (10%)
        25%
        25%
    • 2. Key Control Indicators (KCI) (30%)
      37%
      37%
      • 1. Containment KCIs (35%)
        43%
        45%
        • 1. All KRI thresholds have corresponding qualitative containment KCI thresholds (50%)
          75%
          90%
        • 2. All KRI thresholds have corresponding quantitative containment KCI thresholds (50%)
          10%
          10%
      • 2. Deployment KCIs (35%)
        43%
        43%
        • 1. All KRI thresholds have corresponding qualitative deployment KCI thresholds (50%)
          75%
          75%
        • 2. All KRI thresholds have corresponding quantitative deployment KCI thresholds (50%)
          10%
          25%
      • 3. For advanced KRIs, assurance process KCIs are defined (30%)
        25%
        50%
    • 3. Pairs of thresholds are grounded in risk modeling to show that risks remain below the tolerance (20%)
      25%
      25%
    • 4. Policy to put development on hold if the required KCI threshold cannot be achieved, until sufficient controls are implemented to meet the threshold (20%)
      10%
      50%
3. Risk Treatment
20%
38%
  • 1. Implementing Mitigation Measures (50%)
    24%
    38%
    • 1. Containment measures (35%)
      19%
      74%
      • 1. Containment measures are precisely defined for all KCI thresholds (60%)
        25%
        90%
      • 2. Proof that containment measures are sufficient to meet the thresholds (40%)
        10%
        50%
      • 3. Strong third party verification process to verify that the containment measures meet the threshold (100% if 3.1.1.3 > [60% x 3.1.1.1 + 40% x 3.1.1.2])
        0%
        25%
    • 2. Deployment measures (35%)
      40%
      40%
      • 1. Deployment measures are precisely defined for all KCI thresholds (60%)
        50%
        50%
      • 2. Proof that deployment measures are sufficient to meet the thresholds (40%)
        25%
        100%
      • 3. Strong third party verification process to verify that the deployment measures meet the threshold (100% if 3.1.2.3 > [60% x 3.1.2.1 + 40% x 3.1.2.2])
        0%
        25%
    • 3. Assurance processes (30%)
      10%
      43%
      • 1. Credible plans towards the development of assurance processes (40%)
        25%
        25%
      • 2. Evidence that the assurance processes are enough to achieve their corresponding KCI thresholds (40%)
        0%
        50%
      • 3. The underlying assumptions that are essential for their effective implementation and success are clearly outlined (20%)
        10%
        75%
  • 2. Continuous Monitoring and Comparing Results with Pre-determined Thresholds (50%)
    17%
    40%
    • 1. Monitoring of KRIs (40%)
      19%
      50%
      • 1. Justification that elicitation methods used during the evaluations are comprehensive enough to match the elicitation efforts of potential threat actors (30%)
        25%
        90%
      • 2. Evaluation frequency (25%)
        25%
        90%
      • 3. Description of how post-training enhancements are factored into capability assessments (15%)
        25%
        50%
      • 4. Vetting of protocols by third parties (15%)
        10%
        25%
      • 5. Replication of evaluations by third parties (15%)
        0%
        25%
    • 2. Monitoring of KCIs (40%)
      10%
      43%
      • 1. Detailed description of evaluation methodology and justification that KCI thresholds will not be crossed unnoticed (40%)
        25%
        50%
      • 2. Vetting of protocols by third parties (30%)
        0%
        50%
      • 3. Replication of evaluations by third parties (30%)
        0%
        25%
    • 3. Transparency of evaluation results (10%)
      21%
      64%
      • 1. Sharing of evaluation results with relevant stakeholders as appropriate (85%)
        25%
        75%
      • 2. Commitment to non-interference with findings (15%)
        0%
        0%
    • 4. Monitoring for novel risks (10%)
      38%
      38%
      • 1. Identifying novel risks post-deployment: engages in some process (post deployment) explicitly for identifying novel risk domains or novel risk models within known risk domains (50%)
        50%
        50%
      • 2. Mechanism to incorporate novel risks identified post-deployment (50%)
        25%
        50%
4. Risk Governance
12%
50%
  • 1. Decision-making (25%)
    15%
    56%
    • 1. The company has clearly defined risk owners for every key risk identified and tracked (25%)
      0%
      75%
    • 2. The company has a dedicated risk committee at the management level that meets regularly (25%)
      0%
      90%
    • 3. The company has defined protocols for how to make go/no-go decisions (25%)
      50%
      75%
    • 4. The company has defined escalation procedures in case of incidents (25%)
      10%
      75%
  • 2. Advisory and Challenge (20%)
    14%
    75%
    • 1. The company has an executive risk officer with sufficient resources (16.7%)
      0%
      75%
    • 2. The company has a committee advising management on decisions involving risk (16.7%)
      10%
      90%
    • 3. The company has an established system for tracking and monitoring risks (16.7%)
      50%
      75%
    • 4. The company has designated people that can advise and challenge management on decisions involving risk (16.7%)
      0%
      50%
    • 5. The company has an established system for aggregating risk data and reporting on risk to senior management and the Board (16.7%)
      25%
      90%
    • 6. The company has an established central risk function (16.7%)
      0%
      50%
  • 3. Audit (20%)
    10%
    58%
    • 1. The company has an internal audit function involved in AI governance (50%)
      10%
      50%
    • 2. The company involves external auditors (50%)
      10%
      90%
  • 4. Oversight (20%)
    5%
    58%
    • 1. The Board of Directors of the company has a committee that provides oversight over all decisions involving risk (50%)
      0%
      90%
    • 2. The company has other governing bodies outside of the Board of Directors that provide oversight over decisions (50%)
      10%
      90%
  • 5. Culture (10%)
    7%
    67%
    • 1. The company has a strong tone from the top (33.3%)
      10%
      50%
    • 2. The company has a strong risk culture (33.3%)
      10%
      75%
    • 3. The company has a strong speak-up culture (33.3%)
      0%
      100%
  • 6. Transparency (5%)
    28%
    75%
    • 1. The company reports externally on what their risks are (33.3%)
      10%
      90%
    • 2. The company reports externally on what their governance structure looks like (33.3%)
      25%
      90%
    • 3. The company shares information with industry peers and government bodies (33.3%)
      50%
      90%
Summary

Google DeepMind’s latest framework is built around Critical Capability Levels (thresholds at which models may pose severe risk), supplemented by Tracked Capability Levels that flag significant risks at lower capability levels and trigger a proportionate mitigation and risk acceptance process. The framework scores best in Risk Analysis and Evaluation: capability thresholds are at least qualitatively defined for all covered risks, with corresponding deployment thresholds, and the update strengthened post-deployment identification of novel risks. However, Risk Governance is a weakest area relative to peers. The newly added governance section is simply a single high-level paragraph, with no named risk committee, board-level oversight, external audits, or substantive external risk reporting.

Overview
Strengths
  • Framework includes explicit domain-specific KRI thresholds that appear to be grounded in risk modeling (2.2.1).
  • Explicitly requires KCI implementation upon requiring prespecified KRI threshold (2.2.2).
  • Covers harmful manipulation.
Weaknesses
  • Lacking in some key governance measures, such as risk owners, internal audit, and an executive responsible for risk management process (4).
  • Escalation procedures remain minimal (4.1.4).
  • No details of a strong speak-up culture (4.5.3).
  • No commitment to specific evaluation frequency (3.2.1.2).
Documents analyzed

We analyzed the policies in Google DeepMind’s Frontier Safety Framework 3.1.

Changes from previous version

Compared to their Frontier Safety Framework Version 3.0, they:

  1. Added Tracked Capability Levels: warning thresholds for “significant but not severe” harm below the CCLs, with a proportionate mitigation and risk acceptance process.
  2. Demoted the safety case: In 3.0, mitigation assessments took the form of a safety case reviewed pre-deployment; in 3.1, the reviewed object is a residual risk assessment, with a safety case only “supplementing” it at CCLs.
  3. Narrowed when model versions are re-assessed: In 3.0, any material capability increase triggered reassessment; in 3.1, GDM must additionally judge that the increase “could materially undermine the justification” for risk acceptability.

1.1 Classification of Applicable Known Risks (40%) 50%

1.1.1 Risks from literature and taxonomies are well covered (50%) 75%

Risk domains covered include CBRN, Cyber, Machine Learning R&D and misalignment, and harmful manipulation. Loss of control risks (covered by machine learning R&D and misalignment) are partly decomposed into a “stealth and situational awareness TCL” and “acceleration” and “automation” CCLs, though it is unclear how the TCL and CCLs interact to form a combined risk picture of loss of control risks. They also link to external analyses and discussions on safety frameworks, including by Anthropic, METR, OpenAI, the Frontier Model Forum, and the UK government.

Quotes:

“We identify CCLs for two kinds of risks: misuse risk and risks related to machine learning R&D and misalignment. For misuse risk, we define CCLs in the following risk domains where the misuse of model capabilities may result in severe harm:
● CBRN: Risks of models assisting in the development, preparation, and/or execution of a chemical, biological, radiological, or nuclear (“CBRN”) threat.
● Cyber: Risks of models assisting in the development, preparation, and/or execution of a cyber attack.
● Harmful Manipulation: Risks of models with high manipulative capabilities potentially being misused in ways that could reasonably result in large scale harm. For machine learning R&D and misalignment risks, we define CCLs that identify when ML R&D capabilities in our models may, if not properly managed, reduce society’s overall ability to manage AI risks.” (p.4)

“We consider a wide range of risks as part of our ongoing research, taking into account the characteristics, capabilities, propensities, and affordances of our models and other sources of information, such as our internal risk taxonomies, internal expertise and relevant external research. As explained above, we have identified risk domains where, based on early research, we have determined significant or severe risks may be most likely to arise from future models: CBRN, cyber, harmful manipulation, as well as machine learning R&D and misalignment.” (p.5)

“Stealth and Situational Awareness TCL: The instrumental reasoning abilities of the model enable enough situational awareness (ability to discover and use relevant details of its deployment setting) and stealth (ability to circumvent basic oversight mechanisms) such that, absent additional mitigations, we cannot rule out the model significantly undermining human control.” (p.14)

“ML R&D acceleration level 1: Has been used to accelerate AI development, resulting in AI progress substantially accelerating from historical rates. […]
ML R&D automation level 1: Can fully automate the work of any team of researchers at Google focused on improving AI capabilities, with approximately comparable all-inclusive costs.” (p.15)

“The Framework is informed by the broader conversation on Frontier AI Safety and Security Frameworks.1” (p.2) followed by Footnote 1: “1 See https://www.gov.uk/government/publications/emerging-processes-for-frontier-ai-safety, https://metr.org/faisc, https://www.anthropic.com/rsp-updates, https://www.anthropic.com/news/compliance-framework-SB53, https://openai.com/index/updating-our-preparedness-framework/, https://www.frontiermodelforum.org/publications/#technical-reports.”

“As part of our broader research into and development of frontier AI models, we continue to assess whether there are other risk domains where significant or severe risks may arise and will update our approach as appropriate.” (p.5)

“The Frontier Safety Framework will be reviewed at least once a year—more frequently if we have reasonable grounds to believe the adequacy of the Framework or our adherence to it has been materially undermined. The process will involve (i) an assessment of the Framework’s appropriateness for the management of significant and severe risk, drawing on information sources such as record of adherence to the framework, relevant high-quality research, information shared through industry forums, and evaluation results, as necessary, and (ii) an assessment of our adherence to the Framework.” (p.17)

1.1.2 Exclusions are clearly justified and documented (50%) 25%

The framework covers the main risks present in the literature. However, it only provides a basic breakdown of loss of control risks into “stealth and situational awareness”, as well as “acceleration” and “automation” of AI R&D. There is no justification for why other aspects of loss of control risks like autonomy or autonomous self-replication have not been considered.

Further, the framework asserts that they “may […] update [their] risk domains and T/CCLs, where necessary”, but does not provide the concrete evidence that would be required for this to happen.

Quotes:

“As part of our broader research into and development of frontier AI models, we continue to assess whether there are other risk domains where significant or severe risks may arise and will update our approach as appropriate.” (p.5)

“We may include TCLs for additional risks in the future, as our threat modeling develops.” (p.4)

“The Frontier Safety Framework will be reviewed at least once a year […] Following this assessment, we may: Update our risk domains and T/CCLs, where necessary.” (p.17)

1.2 Identification of Unknown Risks (Open-ended red teaming) (20%) 7%

1.2.1 Internal open-ended red teaming (70%) 10%

The framework asserts that they “continue to assess whether there are other risk domains where significant or sever risks may arise and will upate [their] approach as appropriate”, but does not specify the method of this assessment and does not specify whether this is also done pre-deployment. Red-teaming is not mentioned in the context of novel risk identification.

Quotes:

“As part of our broader research into and development of frontier AI models, we continue to assess whether there are other risk domains where significant or severe risks may arise and will update our approach as appropriate.” (p.5)

1.2.2 Third party open-ended red teaming (30%) 0%

The framework doesn’t mention any third-party procedures pre-deployment to identify novel risk domains or risk models for the frontier model.

Quotes:

No relevant quotes found.

1.3 Risk modeling (40%) 13%

1.3.1 The company uses risk models for all the risk domains identified
and the risk models are published (with potentially dangerous
information redacted) (40%) 25%

The framework is centered around Critical Capability Levels (CCLs), which are “determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm”—a reasonably precise definition of risk modeling. However, any risk models completed are not published. To improve, DeepMind could reference literature in which their risk models have been published, e.g. refer to (Rodriguez et al. 2025) .There should also be evidence of a sincere attempt to map out the risk space as much as possible using representative scenarios.

Quotes:

“The Framework is built primarily around capability thresholds called ‘Critical Capability Levels (CCLs).’ These are capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of severe harm. CCLs are determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm: we then define the CCLs as the minimal set of capabilities a model must possess to do so.” (p.4)

“As explained above, we have identified risk domains where, based on early research, we have determined significant or severe risks may be most likely to arise from future models: CBRN, cyber, harmful manipulation, as well as machine learning R&D and misalignment. […] For each of the four identified domains, we have developed specific scenarios and T/CCLs in which these risks could materialize.” (p.5)

“Central to our critical capability assessments are ‘early warning evaluations,’ which we use to test the specific threats and risk scenarios identified through our threat modeling, determine a model’s capability, and assess the proximity of the model to a T/CCL.” (p.5)

“CBRN uplift level 1: Provides low to medium resourced actors uplift in reference scenarios resulting in additional expected harm at severe scale.” (p.11)

1.3.2 Risk modeling methodology (40%) 9%

1.3.2.1 Methodology precisely defined (70%) 10%

There is an indication of an awareness of risk modeling methodologies, but there are no concrete details about implementation.

Quotes:

“CCLs are determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm: we then define the CCLs as the minimal set of capabilities a model must possess to do so.” (p.4)

“We identify potential risks that could stem from our models and analyze their characteristics to determine which of the identified risks could be significant or severe risks.” (p.5)

1.3.2.2 Mechanism to incorporate red teaming findings (15%) 0%

No mention of risks identified during open-ended red teaming or evaluations triggering further risk modeling.

Quotes:

No relevant quotes found.

1.3.2.3 Prioritization of severe and probable risks (15%) 10%

The framework centers around critical capability levels (CCLs) which “may pose heightened risk of severe harm”, which are “determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm”. However, no concrete risk models are given, and beyond descriptions of severity and probability do not go beyond “heightened risk” and “severe harm”, which are imprecise terms that can be interpreted in various ways. No examples are given of specific risk models considered and excluded.

Quotes:

“The Framework is built primarily around capability thresholds called ‘Critical Capability Levels (CCLs).’ These are capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of severe harm. CCLs are determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm: we then define the CCLs as the minimal set of capabilities a model must possess to do so.” (p.4)

“As explained above, we have identified risk domains where, based on early research, we have determined severe risks may be most likely to arise from future models” (p.5)

“The Frontier Safety Framework focuses on possible severe risks stemming from high-impact capabilities of frontier AI models.” (p.4)

“Critical Capability Levels (CCLs): are the main capability thresholds around which we have built the Framework process. They represent the capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of severe harm.
Tracked Capability Levels (TCLs): are capability thresholds which capture a lower level of risks than our CCLs. They represent the capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of significant but not severe levels of harm.” (p.18)

1.3.3 Third party validation of risk models (20%) 0%

There is no mention of the external review of risk models.

Quotes:

No relevant quotes found.

 

Back to top

2.1 Setting a Risk Tolerance (35%) 5%

2.1.1 Risk tolerance is defined (80%) 3%

2.1.1.1 Risk tolerance is at least qualitatively defined for all risks (33%) 10%

They indicate that they will not tolerate certain risks of “significant or severe harm” which is not further defined. Each capability threshold functions as an implicit risk tolerance, e.g. “Cyber uplift level 1: Provides sufficient uplift with high impact cyber attacks for additional expected harm at severe scale.” However, these are vague. The framework references acceptable levels of residual risk, but does not specify what acceptable means.

Quotes:

“Cyber uplift level 1: Provides sufficient uplift with high impact cyber attacks for additional expected harm at severe scale.” (p.10)

“In particular, we will deem deployment mitigations adequate if the evidence suggests that for the T/CCLs the model has reached, the increase in likelihood of harm from the proposed external deployment has been reduced to an acceptable level.” (p.10)

“These are capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of severe harm” (p.4)

“This process is designed to ensure that residual risk remains at acceptable levels”. (p 10)

2.1.1.2 Risk tolerance is expressed at least partly quantitatively as a combination of scenarios (qualitative) and probabilities (quantitative) for all risks (33%) 0%

The risk tolerance, implicit or otherwise, is not expressed fully or partly quantitatively.
No indication of expressing the risk tolerance beyond “severe harm”, which is not further defined. To improve, the risk tolerance should be expressed fully quantitatively or as a combination of scenarios with probabilities.

Quotes:
No relevant quotes found.

2.1.1.3 Risk tolerance is expressed fully quantitatively as a product of severity (quantitative) and probability (quantitative) for all risks (33%) 0%

No indication of expressing the risk tolerance beyond “severe harm”, which is not further defined. There is no quantitative definition of severity nor probabilities given.

Quotes:

No relevant quotes found.

2.1.2 Process to define the tolerance (20%) 10%

2.1.2.1 AI developers engage in public consultations or seek guidance from regulators where available (50%) 10%

No evidence of asking the public what risk levels they find acceptable. No evidence of seeking regulator input specifically on what constitutes acceptable risk levels. However, there is a process which draws on “relevant high-quality research” and “information shared through industry forums” which informs T/CCLs (which function as risk tolerances/unacceptable risk tiers). They reference engaging governments regarding practices overall.

Quotes:

“Where appropriate, we may engage relevant external actors, including governments, to inform our responsible development and deployment practices.” (p.6)

2.1.2.2 Any significant deviations from risk tolerance norms established in other industries is justified and documented (e.g., cost-benefit analyses) (50%) 10%

There is no evidence of comparing against norms. The closest analogus is a discussion related to proportionality writ large. Also, in several places, they explicitly weigh security against innovation costs

Quotes:
“The concept of proportionality is central to our determination of whether a particular mitigation has sufficiently reduced the risk to acceptable levels. The mitigation and the effects of such mitigation should also be assessed holistically and be proportionate with expected impact of a model’s risk, thus balancing safety with innovation”. (p.8)

“Models able to greatly assist cyber attack might be of interest to well-resourced state actors. However, the potential for automated
cyber-defense and social adaptation as a response to exfiltration means that higher levels of security, and the resulting costs to
innovation, are likely not warranted.” (p.12)

2.2 Operationalizing Risk Tolerance (65%) 30%

2.2.1 Key Risk Indicators (KRI) (30%) 41%

2.2.1.1 KRI thresholds are at least qualitatively defined for all risks (45%) 75%

Each risk domain has one or several KRIs, which are qualitatively defined. The KRI appears to be grounded in risk modelling. Google DeepMind operationalizes risk tolerance through explicit capability thresholds (TCLs/CCLs), evaluation-triggered alert thresholds, domain-specific capability definitions, and ongoing early warning evaluations, that function like KRIs.

Quotes:
“The Framework is built primarily around capability thresholds called “Critical Capability Levels (CCLs). These are capability levels at which, absent mitigation measures, frontier AI models or systems may pose heightened risk of severe harm. CCLs are determined by identifying and analyzing the main foreseeable paths through which a model could result in severe harm: we then define the CCLs as the minimal set of capabilities a model must possess to do so. CCLs are one important component of our risk acceptance determination.” (p.4)

“This update to the Framework introduces “Tracked Capability Levels (TCLs).” TCLs are meant to capture significant risks that may manifest at a lower capability threshold than our CCLs and we apply our mitigation and risk acceptance determination process proportionately.”(p.4)

“Central to our critical capability assessments are “early warning evaluations,” which we use to test the specific threats and risk scenarios identified through our threat modeling, determine a model’s capability, and assess the proximity of the model to a T/CCL” (p.5)

“CBRN uplift level 1: Provides low to medium resourced actors uplift in reference scenarios resulting in additional expected harm at severe scale.” (p.11)

2.2.1.2 KRI thresholds are quantitatively defined for all risks (45%) 10%

The framework does not provide fully quantitative KRI thresholds in the sense of numerical benchmark cutoffs or explicit scores but many of the KRIs are framed around measurable capability evaluations and benchmarkable model behaviors. The evaluations and alert thresholds point to this. A statement such as “resulting in AI progress substantially accelerating from historical rates” is not quantified, but has the potential to be.

Quotes:

“Central to our critical capability assessments are “early warning evaluations,” which we use to test the specific threats and risk scenarios identified through our threat modeling, determine a model’s capability, and assess the proximity of the model to a T/CCL.” (p.5)

“These assessments draw on model characteristics, such as its provenance, size, modality, and performance on general capability benchmarks. (p.5)

“ML R&D acceleration level 1: Has been used to accelerate AI development, resulting in AI progress substantially accelerating from historical rates.” (p.15)

2.2.1.3 KRIs also identify and monitor changes in the level of risk in the external environment (10%) 25%

This criterion is partially satisfied. The framework explicitly incorporates several forms of external-environment monitoring beyond static model capability evaluation, even if they are not formulated as pure KRIs. The framework explicitly considers broader threat landscapes, external model availability, post-market monitoring, historical incident data, evolving attacker capabilities, and deployment scope.

Quotes:
“We conduct further analysis, including reviewing model-independent information, external evaluations, and post-market monitoring as appropriate.” (p.6)

“What capabilities and mitigations are available on other publicly available models.” (p.7)

“whether data suggests a high (or low) likelihood of attempted misuse of models at the T/CCL”. (p.10)

2.2.2 Key Control Indicators (KCI) (30%) 37%

2.2.2.1 Containment KCIs (35%) 43%
2.2.2.1.1 All KRI thresholds have corresponding qualitative containment KCI thresholds (50%) 75%

This criterion is fairly strongly satisfied. The framework explicitly links KRI-like thresholds (TCLs/CCLs) to corresponding containment/security thresholds, especially via the security level system and deployment mitigation requirements. The clearest evidence is the explicit mapping from capability thresholds to required security levels. Additionally, the framework defines increasingly stringent containment standards SL2+, SL3, SL4 with descriptions of the protection objectives they imply.

Quotes:
“Critical Capability Level
Cyber uplift level 1: Provides sufficient uplift with high impact cyber attacks for additional expected harm at severe scale. Recommended security level and rationale
Security level 2+
Models able to greatly assist cyber attack might be of interest to well-resourced state actors. However, the potential for automated
cyber-defense and social adaptation as a response to exfiltration means that higher levels of security, and the resulting costs to
innovation, are likely not warranted.” (p.12)

“Security mitigations have been applied to the model weights reaching the recommended security level stated below.” (p.7)

2.2.2.1.2 All KRI thresholds have corresponding quantitative containment KCI thresholds (50%) 10%

This criterion is very weakly satisfied. The framework does define increasingly stringent containment/security thresholds tied to KRI thresholds, such as Security Level 2+ and references RAND’s scale, but does not define any measurable numeric security targets or concrete quantitative control thresholds.

Quotes:

“We are referring to the security goals and principles in the RAND framework, rather than the benchmarks” (p.9)

2.2.2.2 Deployment KCIs (35%) 43%
2.2.2.2.1 All KRI thresholds have corresponding qualitative deployment KCI thresholds (50%) 75%

This criterion is strongly satisfied. This is one of the clearest structural features of the framework: once a TCL/CCL (the KRI threshold) is reached, deployment mitigation thresholds must be satisfied before deployment is considered acceptable. The core evidence is the explicit deployment mitigation process tied to T/CCLs. The framework also defines the qualitative deployment mitigation categories themselves, mentioning e.g. “safety post-training, monitoring and analysis, account moderation, jailbreak detection and patching, user verification, and bug bounties”. They clearly focus on residual risk as the metric.

Quotes:
“The following mitigation process for external deployments will be applied to models reaching a misuse T/CCL”. (p.10)

“Developing and improving a suite of safeguards targeting the capability, which may include measures such as safety post-training, monitoring and analysis, account moderation, jailbreak detection and patching, user verification, and bug bounties.” (p.10)

“Pre-deployment review of residual risk assessment: external deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable.” (p.10)

2.2.2.2.2 All KRI thresholds have corresponding quantitative deployment KCI thresholds (50%) 10%

This criterion is very weakly satisfied. The framework does contain some semi-quantitative deployment KCI concepts tied to evaluation outcomes and robustness testing, but it does not define explicit numerical deployment thresholds that must be met before deployment.

Quotes:
“Assessing the robustness of these mitigations against the risk posed through testing (e.g. automated evaluations, red teaming) and threat modeling research.” (p.10)

2.2.2.3 For advanced KRIs, assurance process KCIs are defined (30%) 25%

This criterion is partially satisfied. The framework is comparatively sophisticated in this respect. The clearest advanced KRI is the Stealth and Situational Awareness TCL.

Quotes:

“Stealth and Situational Awareness TCL: The instrumental reasoning abilities of the model enable enough situational awareness (ability to discover and use relevant details of its deployment setting) and stealth (ability to circumvent basic oversight mechanisms) such that, absent additional mitigations, we cannot rule out the model significantly undermining human control. ” (p.14)

2.2.3 Pairs of thresholds are grounded in risk modeling to show that risks remain below the tolerance (20%) 25%

Google DeepMind’s framework partially satisfies this criterion. The framework clearly articulates a process whereby: capability thresholds (TCLs/CCLs) trigger mitigations, mitigations are evaluated, residual risk assessments are conducted, safety cases supplement CCL assessments at higher levels, and governance bodies determine whether residual risk is “acceptable.” However, it does not quantified mappings between specific KRIs/TCLs/CCLs and KCIs/mitigations showing that residual risk remains below tolerance, nor present quantified confidence levels, uncertainty bounds, or safety margins. The “safety case” concept is invoked, but the framework does not specify a structured probabilistic or engineering-style methodology akin to a quantified safety case.

Quotes:
“A model for which the inherent risk assessment indicates a misuse T/CCL has been reached will be deemed to pose an acceptable level of residual risk for further development or deployment, if:
○ We assess that the deployment mitigations have brought the residual risk of harm to an
acceptable level, based on considerations such as the effectiveness of mitigations, the
scope of the deployment, what capabilities and mitigations are available on other
publicly available models (e.g. if other models are similarly capable and have few
mitigations, then the marginal risk added by our external deployment is likely low), and
the historical incidence and severity of related events. This is required only for external
deployment, not internal deployment or further development.
○ Security mitigations have been applied to the model weights reaching the
recommended security level stated below, or we otherwise assess that the level of
security applied is adequate, e.g. based on mitigations already in place, if they match or
exceed the level of security applied to other models with similar capabilities or risk
profiles, or we assess that the benefits of the open release of model weights outweigh
the risks.” (p.7)

“Models reaching TCLs or CCLs will be subject to residual risk assessments as part of evaluating their deployment mitigations. For models reaching CCLs, the residual risk assessment will be informed by a supplemental safety case.” (p.7)

2.2.4 Policy to put development on hold if the required KCI threshold cannot be achieved, until sufficient controls are implemented to meet the threshold (20%) 10%

Google DeepMind’s framework partially satisfies this criterion, but falls short of a fully explicit operational commitment to mandatory pauses/de-deployment when controls are inadequate. The framework does contain clear gating language around deployment approval, governance review requirements, requirements that residual risk be deemed “acceptable” before deployment, iterative mitigation processes, references to updating mitigations and safety cases after deployment, and some indication that unacceptable risk should block deployment. However, it does not clearly and unequivocally commit to pausing development if mitigation thresholds cannot be met, suspending further scaling/training, mandatory de-deployment or rollback procedures, explicit stop conditions tied to failed KCIs, formal escalation/containment procedures if residual risk remains unacceptable.

Quotes:
“External deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable (including a safety case where a CCL has been reached).” (p.7)

“With iteration on mitigations and residual risk assessments, we believe that we are able to make informed decisions about the level of risk via a T/CCL before a model is deployed, and prevent models posing unacceptable levels of risk from being deployed.” (p.10)

Back to top

3.1 Implementing Mitigation Measures (50%) 24%

3.1.1 Containment measures (35%) 19%

3.1.1.1 Containment measures are precisely defined for all KCI thresholds (60%) 25%

Google DeepMind’s framework partially satisfies this criterion, but not strongly. The framework does provide fairly concrete categories of containment/security mitigations, some examples of specific controls, explicit linkage between capability thresholds and recommended security levels, mitigation processes tied to T/CCLs. However containment KCIs themselves are not explicitly defined,
thresholds for what constitutes sufficient containment are mostly qualitative, many measures are illustrative (“may include…”), implementation specifics are intentionally left flexible and evolving, and there is no comprehensive mapping from each threshold to a precisely specified required control set.

Quotes:
“Security mitigations against exfiltration or unauthorized modification risk, such as identity and access management practices and hardening interface-access to unreleased model parameters, are important for models reaching misuse CCLs.” (p.9)

“We use security levels to indicate security goals/principles in line with the corresponding level in the
RAND model weight security framework. We also define and recommend “Security Level 2+,” which uses RAND Security Level 2 (SL2) as a baseline, with additional security measures designed to address risks from insider threats and well-resourced non-state external actors. These additional measures may include, for example: dedicated insider risk teams; background checks and ID verification for personnel with sensitive access; review of model training data for signs of tampering; mandating that the processing of untrusted inputs occurs within sandboxed environments; advanced red-teaming that simulates well-resourced adversaries (including Advanced Persistent Threat (APT) groups); and proactive threat hunting with 24/7 incident response capabilities.” (p.9)

“We recommend a security level for each CCL, which reflects our assessment of the minimum appropriate level of security the field of frontier AI should apply to models reaching each CCL.” (p.11)

“Because we cannot always anticipate what security and deployment mitigations will be appropriate for models beyond the current frontier, the specific mitigations we implement may be determined when a T/CCL is reached.” (p.6)

3.1.1.2 Proof that containment measures are sufficient to meet the thresholds (40%) 10%

Google DeepMind’s framework only weakly satisfies this criterion. The framework does contain a formal residual risk assessment process, references to testing, threat modeling, empirical evaluation, red teaming, and safety cases, governance review before deployment, and iterative mitigation assessment processes. However, it does not provide proof that containment/security measures are sufficient to satisfy predefined containment thresholds, explicit KCI thresholds, quantified sufficiency criteria, ex ante evidentiary standards, predefined proof requirements, confidence levels, or predictable/non-discretionary implementation rules.

Quotes:
“Deployment mitigations: we will use a combination of threat modeling, empirical testing, and other sources of information to assess the effectiveness and limitations of our deployment mitigations.” (p.7)

“This residual risk assessment could take into account factors such as i. The effectiveness of the mitigations. For example, tests run on mitigated models may suggest that the refusal rate and jailbreak robustness together imply that threat actors are unlikely to be able to circumvent safeguards.” (p.10)

“Where the model has reached a CCL, the residual risk assessment will be supplemented with a safety case.” (p.10)

3.1.1.3 Strong third party verification process to verify that the containment measures meet the threshold (100% if 3.1.1.3 > [60% x 3.1.1.1 + 40% x 3.1.1.2]) 0%

Google DeepMind’s framework does not satisfy this criterion. The framework does acknowledge involvement of external experts, possible involvement of governments, external evaluations, external organizations, and disclosure of evaluation results in some circumstances. However, it does not establish a structured third-party verification or audit regime, mandatory external audits before deployment, independent certification of containment/security sufficiency, independence guarantees, publication of external assurance reports or external sign-off requirements for containment thresholds. The framework gestures toward external involvement, but not in a structured assurance-oriented way.

Quotes:
No relevant quotes found.

3.1.2 Deployment measures (35%) 40%

3.1.2.1 Deployment measures are precisely defined for all KCI thresholds (60%) 50%

Google DeepMind’s framework moderately satisfies this criterion. Deployment mitigations are described in some operational detail, concrete examples of deployment controls are given and mitigation assessment processes are articulated. However, the framework falls short because deployment KCIs are not explicitly defined, deployment thresholds are not operationalized into measurable control requirements, and mitigations remain partly illustrative and discretionary.

Quotes:
“The following mitigation process for external deployments will be applied to models reaching a misuse T/CCL, allowing for iterative and flexible tailoring of mitigations to each risk and use case. 1. Development and assessment of mitigations: safeguards and an accompanying residual risk assessment are developed by iterating on the following: a. Developing and improving a suite of safeguards targeting the capability, which may include measures such as safety post-training, monitoring and analysis, account
moderation, jailbreak detection and patching, user verification, and bug bounties. b. Assessing the robustness of these mitigations against the risk posed through testing (e.g. automated evaluations, red teaming) and threat modeling research.” (p.10)

3.1.2.2 Proof that deployment measures are sufficient to meet the thresholds (40%) 25%

The framework describes a process, assumedly internal, for “evaluate the effectiveness and limitations of mitigations”, but does not detail why they ex ante believe their deployment measures to be sufficient. Instead, it relies on the “appropriate corporate governance body” and their discretion. To improve, this proof should be garnered in advance, to be sure that the measures will be sufficient to meet the KCI threshold once the model crosses the relevant KRI threshold, and indeed have “proactive mitigation plans”.

Quotes:

“We will use various processes to evaluate the effectiveness and limitations of mitigations: […] Deployment mitigations: we will use a combination of threat modeling, empirical testing, and other sources of information to assess the effectiveness and limitations of our deployment mitigations. These will form the basis of a safety case for models reaching CCLs, that will be reviewed before deployment.” (p. 6)

“Prepare and articulate proactive mitigation plans to ensure severe risks are adequately mitigated when such capability levels are attained.” (p. 2)

“This process is designed to ensure that residual risk remains at acceptable levels: evidence of efficacy collected during development and testing, as well as expert-driven estimates of other parameters, will enable us to assess residual risk and to detect substantial changes that invalidate our risk assessment. With iteration on safeguards and safety cases, we believe that we are able to make informed decisions about the level of risk via a CCL before a model is released, and reliably prevent models posing unacceptable levels of risk from being deployed.” (p. 9)

3.1.2.3 Strong third party verification process to verify that the deployment measures meet the threshold (100% if 3.1.2.3 > [60% x 3.1.2.1 + 40% x 3.1.2.2]) 0%

Google DeepMind’s framework very weakly satisfies this criterion. The framework does contain references to external experts, references to external evaluations, references to red teaming, some disclosure language and optional engagement with governments and external organizations. However, it does not establish a structured third-party verification regime for deployment safeguards, mandatory external red teaming prior to deployment, independent verification that deployment mitigations satisfy thresholds, expert qualification criteria, independence guarantees, publication of external assurance reports or any external sign-off or certification processes.

Quotes:
“When a model reaches an alert threshold for a CCL, we will assess the proximity of the model to the CCL and analyze the risk posed, involving internal and external experts as needed.” (p.6)

“Assessing the robustness of these mitigations against the risk posed through testing (e.g. automated evaluations, red teaming) and threat modeling research.” (p.10)

3.1.3 Assurance processes (30%) 10%

3.1.3.1 Credible plans towards the development of assurance processes (40%) 25%

Google DeepMind’s framework weakly-to-moderately satisfies this criterion, primarily because it does acknowledge that current methods and mitigations are evolving and potentially insufficient, and it outlines a process for iterative improvement. However, it falls well short of providing a concrete assurance-process development roadmap.The framework does reasonably well on acknowledging uncertainty and immaturity, recognizing that mitigations and evaluations will need to evolve, articulating escalation thresholds (TCLs/CCLs/alert thresholds) and describing future-oriented monitoring and assessment processes. But it does not provide explicit assurance-process KCIs, explicit acknowledgement that current assurance processes are insufficient, detailed assurance roadmaps,
technical milestones, timelines, capability-growth-linked preparedness plans, forecasting-based readiness targets, or concrete plans for developing future assurance infrastructure.

Quotes:
“The Framework is based on early and evolving research. We may change our approach over time as we
gain experience and insights on the projected capabilities of future frontier models. We will review the
Framework periodically and we expect it to evolve substantially as our understanding of the risks and
benefits of frontier models improves.” (p.2)

“Because the science of AI risk assessment is still developing, our assessments will often involve some level of subjective analysis.” (p.8)

“Because we cannot always anticipate what security and deployment mitigations will be appropriate for models beyond the current frontier, the specific mitigations we implement may be determined when a T/CCL is reached.” (p.6)

“We may run early warning evaluations more frequently or adjust alert thresholds if the rate of progress suggests our safety buffer is no longer adequate.” (p.5)

3.1.3.2 Evidence that the assurance processes are enough to achieve their corresponding KCI thresholds (40%) 0%

Google DeepMind’s framework does not satisfy this criterion. The framework contains defined processes for empirical evaluation, red teaming, and some notion of evidence collection. However, it does not provide a dedicated assurance-process validation methodology, empirical validation of the assurance processes themselves, model-organism demonstrations, theoretical guarantees, formal assurance benchmarks, evidence that oversight/audit/safety-case processes are themselves reliable, or any meta-evaluation of assurance quality.

Quotes:
No relevant quotes found.

3.1.3.3 The underlying assumptions that are essential for their effective implementation and success are clearly outlined (20%) 10%

Google DeepMind’s framework very weakly satisfies this criterion. The framework does contain some implicit assumptions underlying its assurance approach, acknowledgment of uncertainty and evolving science, discussion of safety buffers, alert thresholds, and evaluation limitations and some recognition that evaluations and mitigations may fail or become inadequate. However, it does not explicitly articulate core technical assumptions underlying assurance validity, assumptions about evaluator reliability, assumptions about chain-of-thought faithfulness, assumptions about absence of sandbagging/deception, assumptions about generalization from evals, assumptions about robustness of monitoring or assumptions about interpretability or detectability. Nor does it provide systematic stress testing of such assumptions, empirical validation of assumption robustness, confidence levels around assumption validity or contingency plans for assumption failure.

Quotes:

“Because the science of AI risk assessment is still developing, our assessments will often involve some level of subjective analysis.” (p.8)

“We may run early warning evaluations more frequently or adjust alert thresholds if the rate of progress suggests our safety buffer is no longer adequate.” (p.5)

“Because we cannot always anticipate what security and deployment mitigations will be appropriate for models beyond the current frontier.” (p.6)

‘In our evaluations, we seek to apply appropriate scaffolding, inference compute, and other augmentations to also assess the capabilities of systems that will likely be produced with the model.” (p.5)

3.2 Continuous Monitoring and Comparing Results with Pre-determined Thresholds (50%) 17%

3.2.1 Monitoring of KRIs (40%) 19%

3.2.1.1 Justification that elicitation methods used during the evaluations are comprehensive enough to match the elicitation efforts of potential threat actors (30%) 25%

Google DeepMind’s framework moderately satisfies this criterion. The framework explicitly recognizes the importance of strong elicitation, the possibility that threat actors may elicit more capability than evaluators, the need for scaffolding/augmentation, the need to upper-bound realistic system capabilities rather than merely base-model behavior and the need for conservative evaluation practices. However, it falls short of fully satisfying the criterion because it provides very little operational detail, there are no concrete elicitation protocols, no compute budgets, no finetuning procedures, no explicit capability upper-bound methodology, or quantified justification that evaluations truly upper-bound adversarial elicitation.

Quotes:
“Risk assessment must take into account the fact that other actors may put significantly more effort into eliciting capabilities than we put into assessing risk, thus requiring conservatism in the form of evaluations.” (p.6)

“In our evaluations, we seek to apply appropriate scaffolding, inference compute, and other augmentations to also assess the capabilities of systems that will likely be produced with the model.” (p.5)

 

3.2.1.2 Evaluation frequency (25%) 25%

Google DeepMind’s framework moderately satisfies this criterion. The framework does fairly well on establishing recurring and lifecycle-wide evaluation processes, tying evaluations to model updates and capability changes, recognizing the need for more frequent evaluations under rapid capability progress and incorporating both periodic review and capability-triggered reassessment logic. However, it falls short because evaluation cadence is not concretely specified, there are no fixed periodic schedules for evaluations themselves, there are no explicit compute-trigger thresholds, “material capability increase” remains qualitative, and there is little operational detail about scaling-based triggers.

Quotes:
“We conduct our risk management process as appropriate, throughout the model development process, on various checkpoints or versions of a model, both before and after deployment.” (p.5)

“For external deployment of subsequent versions of the model, we determine whether a substantial modification has been made and whether a further critical capability assessment is required if (1) the model has meaningful new capabilities or material increases in performance; and (2) we believe such material capability increase could materially undermine the justification for why the risks stemming from the model are acceptable.” (p.5)

“To understand if a subsequent version of the model has meaningful new capabilities or material increases in performance relative to the last checkpoint subject to a critical capability assessment, we conduct material capability change assessments on various checkpoints upon the completion of a post-training run.” (p.5)

“We may run early warning evaluations more frequently or adjust alert thresholds if the rate of progress suggests our safety buffer is no longer adequate.” (p.5)

3.2.1.3 Description of how post-training enhancements are factored into capability assessments (15%) 25%

Google DeepMind’s framework moderately satisfies this criterion conceptually, but operationalizes it weakly. It explicitly discusses post-training capability increases, material capability change assessments, repeated reassessment after post-training runs, scaffolding/inference-compute augmentation, safety buffers, alert thresholds andincreasing evaluation frequency if progress accelerates. However, it still falls short because there is no concrete methodology for incorporating post-training enhancements, no quantified uncertainty margins, no forecasting methodology, no explicit treatment of reasoning-model inference scaling, no operationalized safety-margin calculation process and no measurable thresholds tied to post-training capability uplift.

Quotes:
“To understand if a subsequent version of the model has meaningful new capabilities or material increases in performance relative to the last checkpoint subject to a critical capability assessment, we conduct material capability change assessments on various checkpoints upon the completion of a post-training run.” (p.5)

“In our evaluations, we seek to apply appropriate scaffolding, inference compute, and other augmentations to also assess the capabilities of systems that will likely be produced with the model based on the specific threats and risk scenarios we have identified for the T/CCL.” (p.5)

“Material Capability Increases: are meaningful new capabilities or material increases in model performance that we believe could materially undermine our justifications for a model’s level of risk being acceptable.” (p.19)

3.2.1.4 Vetting of protocols by third parties (15%) 10%

Google DeepMind’s framework weakly satisfies this criterion. The framework does contain references to external experts, references to external evaluations, some governance-review mechanisms andsome engagement with governments and external actors. However, it does not establish a structured process for third-party review of KRI assessment methodologies, independent vetting of evaluation protocols, external review of elicitation methods, or formal methodology review governance.

Quotes:
“When a model reaches an alert threshold for a CCL, we will assess the proximity of the model to the CCL and analyze the risk posed, involving internal and external experts as needed.” (p.6)

“Where appropriate, we may engage relevant external actors, including governments, to inform our responsible development and deployment practices.” (p.6)

3.2.1.5 Replication of evaluations by third parties (15%) 0%

Google DeepMind’s framework does not satisfy this criterion.

Quotes:
No relevant quotes found.

3.2.2 Monitoring of KCIs (40%) 10%

3.2.2.1 Detailed description of evaluation methodology and justification that KCI thresholds will not be crossed unnoticed (40%) 25%

Google DeepMind’s framework moderately satisfies this criterion conceptually, but only weakly satisfies it operationally. The framework clearly establishes ongoing monitoring processes, residual risk reassessment, post-market monitoring, iterative mitigation review, empirical testing, reassessment after capability changes and adjustment of evaluation frequency and alert thresholds. However, it still falls short because KCIs themselves are not explicitly defined, no quantitative efficacy thresholds are specified, no confidence levels are provided, failure mode analysis is only implicit, there is no rigorous statistical detection methodology and no formal false-negative/error-rate treatment is given.

Quotes:
“We conduct our risk management process as appropriate, throughout the model development process, on various checkpoints or versions of a model, both before and after deployment.” (p.5)

“Assessing the robustness of these mitigations against the risk posed through testing (e.g. automated evaluations, red teaming) and threat modeling research.” (p.10)

“We conduct further analysis, including reviewing model-independent information, external evaluations, and post-market monitoring as appropriate.” (p.6)

“We may run early warning evaluations more frequently or adjust alert thresholds if the rate of progress suggests our safety buffer is no longer adequate.” (p.5)

3.2.2.2 Vetting of protocols by third parties (30%) 0%

Google DeepMind’s framework does not satisfy this criterion.

Quotes:
No relevant quotes found.

3.2.2.3 Replication of evaluations by third parties (30%) 0%

Google DeepMind’s framework does not satisfy this criterion.

Quotes:
No relevant quotes found.

3.2.3 Transparency of evaluation results (10%) 21%

3.2.3.1 Sharing of evaluation results with relevant stakeholders as appropriate (85%) 25%

Google DeepMind’s framework partially satisfies this criterion. It has a meaningful commitment to notifying authorities under some circumstances, but much weaker commitments around public transparency of KRI/KCI evaluations. It has moderate compliance on regulator/government notification, weak compliance on public disclosure of evaluations and very weak compliance on predefined transparency criteria. The disclosure obligations are conditional, discretionary, limited in scope, not tied to all KRI/KCI pairings and not framed as routine transparency.

Quotes:
“If we assess that a model has reached a CCL that poses an unmitigated and material risk to overall public safety, we aim to share relevant information with appropriate government authorities where it will facilitate safety of frontier AI.” (p.17)

“We may also consider disclosing information to other external organizations to promote shared learning and coordinated risk mitigation.” (p.17)

“Where appropriate, and subject to adequate confidentiality and security measures and considerations around proprietary and sensitive information, this information may include:
● Model information: characteristics of the AI model relevant to the risk it may pose with its critical capabilities.
● Evaluation results: such as details about the evaluation design, the results, and any robustness
tests.
● Mitigation plans: descriptions of our mitigation plans and how they are expected to reduce the
risk. (p.17)

3.2.3.2 Commitment to non-interference with findings (15%) 0%

Google DeepMind’s framework does not satisfy this criterion.

Quotes:
No relevant quotes found.

3.2.4 Monitoring for novel risks (10%) 38%

3.2.4.1 Identifying novel risks post-deployment: engages in some process (post deployment) explicitly for identifying novel risk domains or novel risk models within known risk domains (50%) 50%

Google DeepMind’s framework moderately satisfies this criterion conceptually, though the justification for why the process will successfully identify novel risks remains fairly weak and high-level. The framework explicitly recognizes that risk domains may evolve, commits to ongoing reassessment, includes post-market monitoring, includes iterative framework updates, contemplates adding new risk domains/TCLs/CCLs, and incorporates external research and incident learning. However, there only moderate evidence of post-deployment learning mechanisms and justification that the process is sufficient.

Quotes:
“As part of our broader research into and development of frontier AI models, we continue to assess whether there are other risk domains where significant or severe risks may arise and will update our approach as appropriate.” (p.5)

‘In particular, we strive to learn from our post-market monitoring mechanisms, including as part of our detection, mitigation, response and/or reporting of incidents relating to our frontier safety risk domains.” (p.6)

“Actionable insights from these processes allow us to enhance our tools, training, processes, policies, and response efforts.” (p.6)

‘We may include TCLs for additional risks in the future, as our threat modeling develops.” (p.4)

3.2.4.2 Mechanism to incorporate novel risks identified post-deployment (50%) 25%

Google DeepMind’s framework moderately satisfies this criterion. It explicitly connects post-deployment monitoring, framework updates, updating risk domains/TCLs/testing approaches and iterative reassessment. However, it still falls short of a fully mature operationalized mechanism because it does not explicitly describe cascading updates across multiple risk models, it does not provide formal escalation pathways, it does not define structured scenario-analysis procedures for novel findings and it does not explicitly discuss cross-domain propagation of newly discovered capabilities/risk pathways. So it is weak on operational detail for cross-model incorporation.

Quotes:
“The Frontier Safety Framework will be reviewed at least once a year—more frequently if we have reasonable grounds to believe the adequacy of the Framework or our adherence to it has been materially undermined. The process will involve (i) an assessment of the Framework’s appropriateness for the management of significant and severe risk, drawing on information sources such as record of adherence to the framework, relevant high-quality research, information shared through industry forums, and evaluation results, as necessary, and (ii) an assessment of our adherence to the Framework. Following this assessment, we may:
● Update our risk domains and T/CCLs, where necessary.
● Update our testing and mitigation approaches, where needed to ensure risk remains adequately assessed and addressed according to our current understanding.” (p.17)

“Actionable insights from these processes allow us to enhance our tools, training, processes, policies, and response efforts.” (p.6)

Back to top

4.1 Decision-making (25%) 15%

4.1.1 The company has clearly defined risk owners for every key risk identified and tracked (25%) 0%

No mention of risk owners.

Quotes:

No relevant quotes found.

4.1.2 The company has a dedicated risk committee at the management level that meets regularly (25%) 0%

No mention of a management risk committee.

Quotes:

No relevant quotes found.

4.1.3 The company has defined protocols for how to make go/no-go decisions (25%) 50%

The framework outlines fairly detailed protocols for decision-making, but is more vague than some other companies on who makes the decisions and the basis for them.

Quotes:

“When a model reaches an alert threshold for a CCL, we will assess the proximity of the model to the CCL and analyze the risk posed, involving internal and external experts as needed. This will inform the formulation and application of a response plan.” (p.6)
“2. Pre-deployment review of residual risk assessment: external deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable (including a safety case where a CCL has been reached). In particular, we will deem deployment mitigations adequate if the evidence suggests that for the T/CCLs the model has reached, the increase in likelihood of harm from the proposed external deployment has been reduced to an acceptable level. 3. Post-deployment processes: our residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents relating to our frontier safety risk domains. Material updates to a safety case will be submitted to the appropriate governance function for review and might result in updates to the related residual risk assessment or safety case.” (p.9)
“For Google models, when alert thresholds are reached, the response plan will be reviewed and approved by appropriate corporate governance bodies”. (p.7)

4.1.4 The company has defined escalation procedures in case of incidents (25%) 10%

The framework mentions that GDM “strive to learn” from their post-market monitoring mechanisms, including from “detection, mitigation, response and/or reporting of incidents relating to frontier safety risk domains”. It also states that “residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents”, which “might result in updates to the related residual risk assessments or safety case”. This provides a high-level description of actions that might be taken in the case of incidents. However, it uses non-committal language, and does not specify timelines and specific actors involved in the process

Quotes:

“we strive to learn from our post-market monitoring mechanisms, including as part of our detection, mitigation, response and/or reporting of incidents relating to our frontier safety risk domains. Actionable insights from these processes allow us to enhance our tools, training, processes, policies, and response efforts.” (p.5)

“Post-deployment processes: our residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents relating to our frontier safety risk domains. Material updates to a safety case will be submitted to the appropriate governance function for review and might result in updates to the related residual risk assessment or safety case.” (p.14)

4.2. Advisory and Challenge (20%) 14%

4.2.1 The company has an executive risk officer with sufficient resources (16.7%) 0%

No mention of an executive risk officer.

Quotes:

No relevant quotes found.

4.2.2 The company has a committee advising management on decisions involving risk (16.7%) 10%

The only structures mentioned are “appropriate corporate governance bodies” and the “appropriate governance function”, but no specifics are provided.

Quotes:

“Pre-deployment review of residual risk assessment: external deployments and high-risk internal deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable (including a safety case where a CCL has been reached) […]
Post-deployment processes: our residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents relating to our frontier safety risk domains. Material updates to a safety case will be submitted to the appropriate governance function for review and might result in updates to the related residual risk assessment or safety case.” (p.14)

“The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17) 

“A critical capability assessment may not be conducted for low-risk external deployments (e.g. to a small number of trusted testers) if the appropriate governance function determines the residual risk of such deployments to be acceptable even if the model has reached a T/CCL (including with a safety case where a CCL has been reached).” (p.5)

4.2.3 The company has an established system for tracking and monitoring risks (16.7%) 50%

The framework specifies a system of tracked (TCL) and critical (CCL) capability levels which helps GDM keep track of the risks stemming from its models in a systematic way. Classification into those levels is done based on “evaluation results, expert assessments, and other sources of information”, as well as “model-indepenedent information, external evalutioans, and post market monitoring as appropriate”. While this creates a framework to asess and categorize risks, the framework is missing a description of a concrete way that the risk information is aggregated, such as a dashboard or equivalent

Quotes:

“In the Framework, we specify protocols for the detection of capability levels at which frontier AI models may pose significant or severe risks (which we call ‘Tracked Capability Levels (TCLs)’ and ‘Critical Capability Levels (CCLs)’ respectively)” (p.2)

“To understand if a subsequent version of the model has meaningful new capabilities or material increases in performance relative to the last checkpoint subject to a critical capability assessment, we conduct material capability change assessments on various checkpoints upon the completion of a post-training run. […] We may also conduct light-weight versions of our ‘early warning evaluations’ […] to confirm a model remains below T/CCL.” (p.5)

“Central to our critical capability assessments are ‘early warning evaluations,’ which we use to test the specific threats and risk scenarios identified through our threat modeling, determine a model’s capability, and assess the proximity of the model to a T/CCL. For CCLs, we define ‘alert thresholds,’ which may draw on evaluation results, expert assessments, and other sources of information; that are designed to flag when a CCL may be reached before a critical capability assessment is conducted again. […] We may run early warning evaluations more frequently or adjust alert thresholds if the rate of progress suggests our safety buffer is no longer adequate. We conduct further analysis, including reviewing model-independent information, external evaluations, and post-market monitoring as appropriate. In particular, we strive to learn from our post-market monitoring mechanisms, including as part of our detection, mitigation, response and/or reporting of incidents relating to our frontier safety risk domains. Actionable insights from these processes allow us to enhance our tools, training, processes, policies, and response efforts.
Our approach to model evaluations and inherent risk assessments described above means we can proactively monitor a model’s capabilities throughout the entire lifecycle of the model and ensure that any significant or severe risk is properly identified and mitigated.” (pp.5–6)

“Our residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents relating to our frontier safety risk domains. Material updates to a safety case will be submitted to the appropriate governance function for review […]” (p.14)

“When a model has reached this TCL, we will carry out periodic residual risk assessments of the misalignment risk posed. This assessment may take into account models’ alignment propensities, capabilities, and our defenses against misaligned models.” (p.14)

4.2.4 The company has designated people that can advise and challenge management on decisions involving risk (16.7%) 0%

No mention of people that challenge decisions.

Quotes:

No relevant quotes found.

4.2.5 The company has an established system for aggregating risk data and reporting on risk to senior management and the Board (16.7%) 25%

The framework states that “material updates to a safety case will be submitted to the appropriate governance function for review”, and that “updated version [of the framework] and framework assessment will be reviewed by the appropriate corporate governance bodies”. It does not specify what those governance functions or bodies are, what the format is, and at what cadence information is shared.

Quotes:

“Post-deployment processes: our residual risk assessments, safety cases and mitigations may be updated as a result of post-market monitoring, including information about incidents relating to our frontier safety risk domains. Material updates to a safety case will be submitted to the appropriate governance function for review and might result in updates to the related residual risk assessment or safety case.” (p.14)

“The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17) 

“Responsibilities for assessing and mitigating risks are clearly defined and allocated across all levels of the organization. This includes legal, compliance, and safety reviews with escalation procedures to ensure appropriate oversight.” (p.16)

4.2.6 The company has an established central risk function (16.7%) 0%

No mention of a central risk function.

Quotes:

No relevant quotes found.

4.3 Audit (20%) 10%

4.3.1 The company has an internal audit function involved in AI governance (50%) 10%

Google DeepMind commits to assessing “adherence to the Framework” at least annually, but does not specify which body conducts this assessment or how independence is ensured. The review is described as being conducted by “appropriate corporate governance bodies” without further specification. This lacks the independence and specificity typically associated with internal audit functions.

Quotes:

“We have in place a well-established and comprehensive internal governance structure designed to ensure the robust implementation of the processes outlined in this Frontier Safety Framework. Responsibilities for assessing and mitigating risks are clearly defined and allocated across all levels of the organization. This includes legal, compliance, and safety reviews with escalation procedures to ensure appropriate oversight.” (p.16)

“The Frontier Safety Framework will be reviewed at least once a year—more frequently if we have reasonable grounds to believe the adequacy of the Framework or our adherence to it has been materially undermined. The process will involve (i) an assessment of the Framework’s appropriateness for the management of significant and severe risk, drawing on information sources such as record of adherence to the framework, relevant high-quality research, information shared through industry forums, and evaluation results, as necessary, and (ii) an assessment of our adherence to the Framework. Following this assessment, we may:
● Update our risk domains and T/CCLs, where necessary.
● Update our testing and mitigation approaches, where needed to ensure risk remains adequately assessed and addressed according to our current understanding.
The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17)

4.3.2 The company involves external auditors (50%) 10%

The framework mentions involving external experts “as needed” to assess the proximity of a model to a TCL or CCL or to infrom GDM’s development and deployment practices. It leaves unspecified who those external experts are, how their independence is ensured, the degree of access granted to them, and the scope of their involvement.

Quotes:

“[E]arly warning evaluations will be used to assess the proximity of a model to a TCL and analyze the risk posed, involving internal and external experts as needed.” (p.4)

“When a model reaches an alert threshold for a CCL, we will assess the proximity of the model to the CCL and analyze the risk posed, involving internal and external experts as needed.” (p.6)

“Where appropriate, we may engage relevant external actors, including governments, to inform our responsible development and deployment practices.” (p.6)

4.4 Oversight (20%) 5%

4.4.1 The Board of Directors of the company has a committee that provides oversight over all decisions involving risk (50%) 0%

No mention of a Board risk committee.

Quotes:

No relevant quotes found.

4.4.2 The company has other governing bodies outside of the Board of Directors that provide oversight over decisions (50%) 10%

The framework mentions “corporate governance bodies” that review frameworks and can veto external and high-risk internal deployments of models, but it is unclear whether these entities reside within or outside the board, and what the scope of their roles and responsibilities are.

Quotes:

“We have in place a well-established and comprehensive internal governance structure designed to ensure the robust implementation of the processes outlined in this Frontier Safety Framework. Responsibilities for assessing and mitigating risks are clearly defined and allocated across all levels of the organization. This includes legal, compliance, and safety reviews with escalation procedures to ensure appropriate oversight.” (p.16)

“The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17)

“Pre-deployment review of residual risk assessment: external deployments and high-risk internal deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable […] Material updates to a safety case will be submitted to the appropriate governance function for review […]” (p.13)

4.5 Culture (10%) 7%

4.5.1 The company has a strong tone from the top (33.3%) 10%

The framework includes a few references that reinforces the tone from the top, but would benefit from more substantial commitments to managing risk. It also posits that mitigations should “assessed holistically” to “balanc[e] safety with innovation”, which is a defensible principle but could be interpreted as softening the framework’s commitment to upholding safe development and deployment practices in the face of asserted benefits to “innovation”.

Quotes:

“The Frontier Safety Framework is a set of protocols that aims to address severe risks that may arise from the high-impact capabilities of frontier AI models. It complements Google’s suite of AI responsibility and safety practices, and enables Google’s AI innovation and deployment consistent with our AI Principles.” (p.2)

“The safety and security of frontier AI models is a global public good.” (p.2)

4.5.2 The company has a strong risk culture (33.3%) 10%

The framework notes that GDM’s safety approach “may change over time” and commits to reviewing the Frontier Safety Framework at least once a year, with more frequent reviews possible in the case of inadequacy of the framework or spotty adherence to it. To improve, the framework should either commit to building a strong risk culture or include more details on risk training, safety drills, internal transparency, and other risk culture-promoting activities.

Quotes:

“The Framework is based on early and evolving research. We may change our approach over time as we gain experience and insights on the projected capabilities of future frontier models. We will review the Framework periodically and we expect it to evolve substantially as our understanding of the risks and benefits of frontier models improves.” (p.2)

“The Frontier Safety Framework will be reviewed at least once a year—more frequently if we have reasonable grounds to believe the adequacy of the Framework or our adherence to it has been materially undermined. The process will involve (i) an assessment of the Framework’s appropriateness for the management of significant and severe risk, drawing on information sources such as record of adherence to the framework, relevant high-quality research, information shared through industry forums, and evaluation results, as necessary, and (ii) an assessment of our adherence to the Framework. Following this assessment, we may:
● Update our risk domains and T/CCLs, where necessary.
● Update our testing and mitigation approaches, where needed to ensure risk remains adequately assessed and addressed according to our current understanding.
The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17)

4.5.3 The company has a strong speak-up culture (33.3%) 0%

No mention of elements of speak-up culture.

Quotes:

No relevant quotes found.

4.6 Transparency (5%) 28%

4.6.1 The company reports externally on what their risks are (33.3%) 10%

The framework states which capabilities the company is tracking, but does not explicitly commit to communicate the risk findings for individual models. To improve its score, the company should specify how it will provide information regarding risks going forward in e.g. model cards.

Quotes:

“In the Framework, we specify protocols for the detection of capability levels at which frontier AI models may pose significant or severe risks (which we call ‘Tracked Capability Levels (TCLs)’ and ‘Critical Capability Levels (CCLs)’ respectively), and articulate mitigation approaches to address such risks. The Framework addresses misuse risk as well as machine learning research and development (ML R&D) and misalignment risk.” (p.2)

4.6.2 The company reports externally on what their governance structure looks like (33.3%) 25%

The Framework repeatedly mentions “corporate governance bodies” and “governance functions”, but does not clearly distinguish between them or assign clear tasks to different bodies. It includes a distinct section on governance (Section 4), which is commendable, but this section only includes one paragraph which asserts at a high-level that a “comprehensive internal govenrance structure” exists, without specifying any operational detail.

Quotes:

“Section 4: Governance and Accountability
4.1 Governance structure
We have in place a well-established and comprehensive internal governance structure designed to ensure the robust implementation of the processes outlined in this Frontier Safety Framework. Responsibilities for assessing and mitigating risks are clearly defined and allocated across all levels of the organization. This includes legal, compliance, and safety reviews with escalation procedures to ensure appropriate oversight.” (p.16)

“external deployments and high-risk internal deployments of a model take place only after the appropriate governance function determines the residual risk to be acceptable” (p.14)

“The updated version and framework assessment will be reviewed by the appropriate corporate governance bodies.” (p.17)

“When a model reaches an alert threshold for a CCL, we will assess the proximity of the model to the CCL and analyze the risk posed, involving internal and external experts as needed.” (p.6)

“Material updates to a safety case will be submitted to the appropriate governance function for review and might result in updates to the related residual risk assessment or safety case.” (p.10)

4.6.3 The company shares information with industry peers and government bodies (33.3%) 50%

The framework suggests potential information sharing with “appropriate government authorities” and lists potential aspects this shared information may include, but frames it as a discretionary choice. For a higher score, the company would need to add precision to the sharing trigger, the information shared, the parties it will share it with, and make a binding commitment.

Quotes:

“If we assess that a model has reached a CCL that poses an unmitigated and material risk to overall public safety, we aim to share relevant information with appropriate government authorities where it will facilitate safety of frontier AI. Where appropriate, and subject to adequate confidentiality and security measures and considerations around proprietary and sensitive information, this information may include:
● Model information: characteristics of the AI model relevant to the risk it may pose with its critical capabilities.
● Evaluation results: such as details about the evaluation design, the results, and any robustness tests.
● Mitigation plans: descriptions of our mitigation plans and how they are expected to reduce the risk.
We may also consider disclosing information to other external organizations to promote shared learning and coordinated risk mitigation. We will continue to review and evolve our disclosure process over time.” (p.17)

Back to top