1.3.1 The company uses risk models for all the risk domains identified
and the risk models are published (with potentially dangerous
information redacted) (40%) 50%
Risk modelling is clearly conducted for each risk domain. The framework contains explicit threat scenarios, enabling capabilities, thresholds, and methodological discussion. The list of threat scenarios are published for each risk domain. There is a clear reliance on risk modelling for determining “whether models with new capabilities may pose novel risk”.
However, it does not publish formal probabilistic risk models, exhaustive pathway mappings, detailed expert lists, quantified likelihood estimates, or comprehensive prioritization methodologies. Some potentially sensitive pathway details are intentionally redacted or omitted.
Quotes:
“Our Framework is structured around a set of catastrophic outcomes. We have used threat
modeling to develop threat scenarios pertaining to each of these catastrophic outcomes.
For each threat scenario, we have identified the key capabilities that would enable a
threat scenario.” (p.3)
“Run threat modeling exercises
In order to ensure that our AI risk assessments (see section 2.1.2 below) have appropriate
coverage over potential risks, we conduct periodic threat modeling exercises as a
proactive measure to anticipate catastrophic risks from our Frontier AI. In the event that
we identify that a Frontier AI is likely to substantially contribute to a threat scenario for a
catastrophic outcome, we will conduct a threat modeling exercise in line with the
processes in section 3.2. We also conduct ex-ante threat modeling exercises to help us
determine whether models with new capabilities may pose novel risks (see more below).
The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.
2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.4-5)
“We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent. Once the outcomes are defined, we perform threat modeling to
identify a set of potential causal pathways—i.e., threat scenarios—that may be sufficient
to realize these outcomes. We then identify a set of key risk factors associated with
Frontier AI, such as model capabilities and propensities, that could lead to realization of
each threat scenario. Lastly, we rely on evaluations that allow us to assess the extent to
which a given Frontier AI model could substantially contribute to each threat scenario,
and thus the corresponding catastrophic outcome(s). ” (p.12)
“Threat modeling is fundamental to our outcomes-led approach. We run threat modeling
exercises both internally and with external experts with relevant domain expertise, where
appropriate. The goal of these exercises is to explore, in a systematic way, how Frontier AI
models might substantially contribute to catastrophic outcomes.” (p.12)
“For each catastrophic outcome, we include a description of one or more threat
scenarios. See Section 3.2 for more information on how we have developed our threat
scenarios. We are not providing full details of the constituent steps and tasks within a
threat scenario, or the enabling capabilities required to achieve it as we want to better
understand how to balance transparency and security in this regard.” (p.18)
Coupled with each outcome is a threat scenario, describing the high-level steps involved for this outcome to be realized.
For instance, for the outcome “Cyber 1: Substantially lowers the barrier or reduces cost to a cyberattack that causes large-scale casualties or
significant financial loss”, the threat scenario is “TS.1.1: An AI system substantially contributes to the compromise of an
environment resulting in large-scale casualties or
significant financial loss, where that environment has
security practices that are typical for that class of environment. The compromise may achieve a goal like ransoming or comprehensive theft of a company’s critical IP using a chain of techniques – such as
network infiltration, sensitive data discovery, exfiltration, privilege escalation, and
lateral movement – for significantly less cost and/or
time than is feasible within the ecosystem absent
Frontier AI capabilities..” (p.19)
1.3.2 Risk modeling methodology (40%) 43%
1.3.2.1 Methodology precisely defined (70%) 50%
They have a clear and defined methodology. Meta defines a structured, outcomes-led threat-modeling methodology that decomposes catastrophic outcomes into threat scenarios, enabling capabilities, evaluations, and operational thresholds. The framework repeatedly describes this process as systematic and evidence-based, and risk pathways are broken into discrete measurable stages through capability checkpoints, enhanced evaluations, escalation thresholds, and deployment-context analysis.
However, it does not specify formal risk-modeling techniques such as event trees, fault trees, Bayesian networks, or structured expert elicitation methodologies. Expert consultation processes are referenced but not precisely operationalized, and the framework lacks formal quantitative modeling or uncertainty propagation methods.
Quotes:
“3.1 An outcomes-led approach
We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent. Once the outcomes are defined, we perform threat modeling to
identify a set of potential causal pathways—i.e., threat scenarios—that may be sufficient
to realize these outcomes. We then identify a set of key risk factors associated with
Frontier AI, such as model capabilities and propensities, that could lead to realization of
each threat scenario. Lastly, we rely on evaluations that allow us to assess the extent to
which a given Frontier AI model could substantially contribute to each threat scenario,
and thus the corresponding catastrophic outcome(s). This assessment, which is detailed
for each risk domain in section 4.2, is intended to determine an upper bound of the risk
associated with the Frontier AI model before mitigations are applied. (p.12)
“We design assessments to simulate whether our model would substantially contribute to
these scenarios, and identify the enabling capabilities the model would need to exhibit to
do so. See Section 4.2 for more detail.
It is important to note that the pathway to realize a catastrophic outcome is often
extremely complex, involving numerous external elements beyond the Frontier AI model
itself. Our threat scenarios endeavor to simulate and measure the end-to-end pathways
toward an outcome. By testing whether our model can substantially contribute to a
threat scenario, we measure how our model can realize an outcome.” (p.13)
“Threat modeling is a structured process of identifying how Frontier AI could
contribute to specific – and in this instance catastrophic – outcomes. This process
identifies the potential causal pathways for realizing the catastrophic outcome.
Threat scenarios describe the real-world events – including enabling capabilities,
deployment context, and threat actors (as relevant) – that may be sufficient to
produce a catastrophic outcome.” (p.41)
1.3.2.2 Mechanism to incorporate red teaming findings (15%) 25%
Meta explicitly states that novel catastrophic outcomes, threat scenarios, and emerging capabilities identified through threat modeling, evaluations, incidents, near misses, or deployment experience trigger the creation of new assessments and updates to the framework. It commits to periodically revising catastrophic outcomes, threat scenarios, and evaluation methodologies. Preparedness reports are also updated when new evidence materially changes prior risk assessments. While the framework does not specify a formal operational process for propagating red-team findings across all affected risk models, it clearly establishes an adaptive mechanism through which novel findings can trigger expanded scenario analysis and revisions to existing risk models.
Quotes:
“if new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant” (p.5)
“We also conduct ex-ante threat modeling exercises to help us
determine whether models with new capabilities may pose novel risks” (p.5)
“We will also include other risks identified through threat modeling exercises – informed
through literature reviews, user feedback, official release, serious incidents, and near
misses – that meet our four inclusion criteria. It is important to reiterate that these
catastrophic outcomes need not reflect current capabilities of our models, but are
included based on our threat modeling.” (p.18)
1.3.2.3 Prioritization of severe and probable risks (15%) 25%
There is some prioritization. Meta clearly prioritizes catastrophic and plausible risks through their methodology. The framework explicitly filters risks based on plausibility, catastrophic severity, novelty, and irreversibility. They also clearly deprioritize some risks in a structured manner. However, the framework does not publish explicit probability estimates, severity scores, confidence intervals, expected-risk calculations, or formal risk rankings across scenarios or domains. Prioritization is therefore qualitative and threshold-based rather than based on transparent probability × severity scoring.
Quotes:
“For this Framework specifically, we seek to consider risks that satisfy all four criteria:
Plausible: It must be possible to identify a causal pathway for the catastrophic outcome,
and to define one or more simulatable threat scenarios along that pathway.
Catastrophic: The outcome would have large scale, devastating, and potentially irreversible harmful effects.
Net new: The outcome cannot currently be realized as described (e.g. at that scale /
by that threat actor / for that cost) with existing tools and resources.
Instantaneous or irremediable: The outcome is such that once realized, its catastrophic impacts are immediately felt, or inevitable due to a lack of feasible measures to remediate.” (p.13)
“We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent” (p.12)
“existing evaluation approaches are currently too nascent to incorporate these outcomes into our Framework” (p.36)
1.3.3 Third party validation of risk models (20%) 25%
The framework partially satisfies this criterion. Meta clearly incorporates external experts, governments, and broader AI-community engagement into its threat-modeling and evaluation processes, including external participation in identifying catastrophic outcomes, threat scenarios, and red-team exercises. However, the framework does not establish a formal process whereby independent third parties review and are accountable for the final risk models themselves. No external auditors, advisory boards, or named validators are identified, and the framework does not describe any formal external sign-off, peer review, or independent assessment mechanism for the published risk models. It also does not explicitly justify the absence of such external validation. Nonetheless, the effort to ensure that third party expert opinion is present in the risk modelling process is commendable.
Quotes:
“The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.
2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.6)
“Threat modeling is fundamental to our outcomes-led approach. We run threat modeling
exercises both internally and with external experts with relevant domain expertise, where
appropriate. ” (p.12)
“Our threat modeling is informed by our own internal experts’ assessment of the
catastrophic risks that Frontier AI might pose, as well as engagements with governments,
external experts, and the wider AI community. However, there remains quite considerable
divergence in expert opinion as to how AI capabilities will develop and the time horizons
on which they could emerge.” (p.13)