Meta

Category
Meta
Best in Class
1. Risk Identification
49%
62%
  • 1. Classification of Applicable Known Risks (40%)
    50%
    90%
    • 1. Risks from literature and taxonomies are well covered (50%)
      75%
      90%
    • 2. Exclusions are clearly justified and documented (50%)
      25%
      90%
  • 2. Identification of Unknown Risks (Open-ended red teaming) (20%)
    43%
    43%
    • 1. Internal open-ended red teaming (70%)
      50%
      50%
    • 2. Third party open-ended red teaming (30%)
      25%
      25%
  • 3. Risk modeling (40%)
    52%
    52%
    • 1. The company uses risk models for all the risk domains identified
and the risk models are published (with potentially dangerous
information redacted) (40%)
      50%
      75%
    • 2. Risk modeling methodology (40%)
      43%
      43%
      • 1. Methodology precisely defined (70%)
        50%
        50%
      • 2. Mechanism to incorporate red teaming findings (15%)
        25%
        25%
      • 3. Prioritization of severe and probable risks (15%)
        25%
        75%
    • 3. Third party validation of risk models (20%)
      25%
      50%
2. Risk Analysis and Evaluation
36%
36%
  • 1. Setting a Risk Tolerance (35%)
    22%
    22%
    • 1. Risk tolerance is defined (80%)
      28%
      28%
      • 1. Risk tolerance is at least qualitatively defined for all risks (33%)
        75%
        75%
      • 2. Risk tolerance is expressed at least partly quantitatively as a combination of scenarios (qualitative) and probabilities (quantitative) for all risks (33%)
        10%
        10%
      • 3. Risk tolerance is expressed fully quantitatively as a product of severity (quantitative) and probability (quantitative) for all risks (33%)
        0%
        0%
    • 2. Process to define the tolerance (20%)
      0%
      10%
      • 1. AI developers engage in public consultations or seek guidance from regulators where available (50%)
        0%
        10%
      • 2. Any significant deviations from risk tolerance norms established in other industries is justified and documented (e.g., cost-benefit analyses) (50%)
        0%
        10%
  • 2. Operationalizing Risk Tolerance (65%)
    44%
    44%
    • 1. Key Risk Indicators (KRI) (30%)
      59%
      59%
      • 1. KRI thresholds are at least qualitatively defined for all risks (45%)
        75%
        75%
      • 2. KRI thresholds are quantitatively defined for all risks (45%)
        50%
        50%
      • 3. KRIs also identify and monitor changes in the level of risk in the external environment (10%)
        25%
        25%
    • 2. Key Control Indicators (KCI) (30%)
      37%
      37%
      • 1. Containment KCIs (35%)
        38%
        45%
        • 1. All KRI thresholds have corresponding qualitative containment KCI thresholds (50%)
          75%
          90%
        • 2. All KRI thresholds have corresponding quantitative containment KCI thresholds (50%)
          0%
          10%
      • 2. Deployment KCIs (35%)
        25%
        43%
        • 1. All KRI thresholds have corresponding qualitative deployment KCI thresholds (50%)
          25%
          75%
        • 2. All KRI thresholds have corresponding quantitative deployment KCI thresholds (50%)
          25%
          25%
      • 3. For advanced KRIs, assurance process KCIs are defined (30%)
        50%
        50%
    • 3. Pairs of thresholds are grounded in risk modeling to show that risks remain below the tolerance (20%)
      25%
      25%
    • 4. Policy to put development on hold if the required KCI threshold cannot be achieved, until sufficient controls are implemented to meet the threshold (20%)
      50%
      50%
3. Risk Treatment
20%
38%
  • 1. Implementing Mitigation Measures (50%)
    15%
    38%
    • 1. Containment measures (35%)
      6%
      74%
      • 1. Containment measures are precisely defined for all KCI thresholds (60%)
        10%
        90%
      • 2. Proof that containment measures are sufficient to meet the thresholds (40%)
        0%
        50%
      • 3. Strong third party verification process to verify that the containment measures meet the threshold (100% if 3.1.1.3 > [60% x 3.1.1.1 + 40% x 3.1.1.2])
        0%
        25%
    • 2. Deployment measures (35%)
      19%
      40%
      • 1. Deployment measures are precisely defined for all KCI thresholds (60%)
        25%
        50%
      • 2. Proof that deployment measures are sufficient to meet the thresholds (40%)
        100%
        100%
      • 3. Strong third party verification process to verify that the deployment measures meet the threshold (100% if 3.1.2.3 > [60% x 3.1.2.1 + 40% x 3.1.2.2])
        0%
        25%
    • 3. Assurance processes (30%)
      22%
      43%
      • 1. Credible plans towards the development of assurance processes (40%)
        25%
        25%
      • 2. Evidence that the assurance processes are enough to achieve their corresponding KCI thresholds (40%)
        10%
        50%
      • 3. The underlying assumptions that are essential for their effective implementation and success are clearly outlined (20%)
        50%
        75%
  • 2. Continuous Monitoring and Comparing Results with Pre-determined Thresholds (50%)
    25%
    40%
    • 1. Monitoring of KRIs (40%)
      30%
      50%
      • 1. Justification that elicitation methods used during the evaluations are comprehensive enough to match the elicitation efforts of potential threat actors (30%)
        50%
        90%
      • 2. Evaluation frequency (25%)
        25%
        90%
      • 3. Description of how post-training enhancements are factored into capability assessments (15%)
        50%
        50%
      • 4. Vetting of protocols by third parties (15%)
        10%
        25%
      • 5. Replication of evaluations by third parties (15%)
        10%
        25%
    • 2. Monitoring of KCIs (40%)
      13%
      43%
      • 1. Detailed description of evaluation methodology and justification that KCI thresholds will not be crossed unnoticed (40%)
        25%
        50%
      • 2. Vetting of protocols by third parties (30%)
        0%
        50%
      • 3. Replication of evaluations by third parties (30%)
        10%
        25%
    • 3. Transparency of evaluation results (10%)
      43%
      64%
      • 1. Sharing of evaluation results with relevant stakeholders as appropriate (85%)
        50%
        75%
      • 2. Commitment to non-interference with findings (15%)
        0%
        0%
    • 4. Monitoring for novel risks (10%)
      30%
      38%
      • 1. Identifying novel risks post-deployment: engages in some process (post deployment) explicitly for identifying novel risk domains or novel risk models within known risk domains (50%)
        10%
        50%
      • 2. Mechanism to incorporate novel risks identified post-deployment (50%)
        50%
        50%
4. Risk Governance
28%
50%
  • 1. Decision-making (25%)
    36%
    56%
    • 1. The company has clearly defined risk owners for every key risk identified and tracked (25%)
      50%
      75%
    • 2. The company has a dedicated risk committee at the management level that meets regularly (25%)
      10%
      90%
    • 3. The company has defined protocols for how to make go/no-go decisions (25%)
      75%
      75%
    • 4. The company has defined escalation procedures in case of incidents (25%)
      10%
      75%
  • 2. Advisory and Challenge (20%)
    75%
    75%
    • 1. The company has an executive risk officer with sufficient resources (16.7%)
      75%
      75%
    • 2. The company has a committee advising management on decisions involving risk (16.7%)
      10%
      90%
    • 3. The company has an established system for tracking and monitoring risks (16.7%)
      25%
      75%
    • 4. The company has designated people that can advise and challenge management on decisions involving risk (16.7%)
      10%
      50%
    • 5. The company has an established system for aggregating risk data and reporting on risk to senior management and the Board (16.7%)
      25%
      90%
    • 6. The company has an established central risk function (16.7%)
      50%
      50%
  • 3. Audit (20%)
    30%
    58%
    • 1. The company has an internal audit function involved in AI governance (50%)
      50%
      50%
    • 2. The company involves external auditors (50%)
      10%
      90%
  • 4. Oversight (20%)
    5%
    58%
    • 1. The Board of Directors of the company has a committee that provides oversight over all decisions involving risk (50%)
      10%
      90%
    • 2. The company has other governing bodies outside of the Board of Directors that provide oversight over decisions (50%)
      0%
      90%
  • 5. Culture (10%)
    28%
    67%
    • 1. The company has a strong tone from the top (33.3%)
      10%
      50%
    • 2. The company has a strong risk culture (33.3%)
      0%
      75%
    • 3. The company has a strong speak-up culture (33.3%)
      75%
      100%
  • 6. Transparency (5%)
    50%
    75%
    • 1. The company reports externally on what their risks are (33.3%)
      50%
      90%
    • 2. The company reports externally on what their governance structure looks like (33.3%)
      75%
      90%
    • 3. The company shares information with industry peers and government bodies (33.3%)
      25%
      90%
Summary

Meta released its second iteration of its Advanced AI Scaling Framework earlier in 2026, which strengthened the framework significantly. It is now among the highest scoring. Meta’s framework is particularly notable for its strong risk modeling, Key Risk Indicators and defined go/no-go protocols.

Overview
Strengths
  • Unacceptable catastrophic outcomes defined per domain, operationalized via moderate/high/critical thresholds and a “moderate or lower” residual-risk requirement for deployment (2.1.1.1).
  • Strongest risk modeling approach, which includes outcomes-led decomposition (catastrophic outcomes → threat scenarios → enabling capabilities → evaluations; 1.3.2.1), as well as risk models for all risk domains (1.3.1).
  • Role of Chief AI Officer defined (4.2.1).
  • Meta’s framework defines catastrophic outcomes in cybersecurity, chemical and biological risks, and loss of control, then works backwards through threat scenarios and enabling capabilities to evaluations and risk thresholds. This structure makes Meta the strongest framework in Risk Analysis and Evaluation. It leads the field on defining risk tolerance qualitatively and on the precision of its threat modeling methodology. However, the framework describes no board or management risk committees, no independent external audits or third-party verification of evaluations and mitigations, and no evidence that containment measures are sufficient for their thresholds.
Weaknesses
  • No formal oversight structures: no board risk committee (4.4.1), management risk committee (4.1.2), or governing bodies beyond the Board (4.4.2)
  • No independent external assurance: external experts advise but do not audit (4.3.2); no third-party vetting, replication (3.2), or verification of evaluations and mitigations (3.1.1.3).
  • Containment underspecified: measures not precisely mapped to KCI thresholds, and no evidence they suffice to meet them (3.1.1).
  • Evaluation cadence not operationalized: escalation-triggered, but fixed frequencies and compute-based triggers are sparse and unjustified (3.2.1.2).
Documents analyzed

We analyzed the policies outlined in Meta’s Advanced AI Scaling Framework v2.

Changes from previous version

Meta’s second iteration of its framework was a significant improvement, strengthening practices across the board – in risk identification, risk analysis and evaluation and risk governance.

1.1 Classification of Applicable Known Risks (40%) 50%

1.1.1 Risks from literature and taxonomies are well covered (50%) 75%

The framework covers cybersecurity, chemical and biological and loss of control risks, i.e. most of the main risks commonly included. They do not reference obtaining risks from the literature per se, but they have a justification for why they selected these domains, in that they list the criteria they use. These are that the risks need to be: Plausible, Catastrophic, Net new, Instantaneous or irremediable. They also substantially decompose loss-of-control into concrete sub-threats such as evaluation awareness, monitor evasion, autonomous AI R&D, and autonomous replication. Harmful manipulation is only covered through cyber.

Quotes

“Criteria
Plausible It must be possible to identify a causal pathway for the catastrophic outcome, and to define one or more simulatable threat scenarios along that pathway.
This ensures an implementable, evidence-led approach. Catastrophic The outcome would have large scale, devastating, and potentially irreversible harmful effects. Net new The outcome cannot currently be realized as described (e.g. at that scale / by that threat actor / for that cost) with existing tools and resources but without
access to general-purpose AI. Instantaneous or irremediable The outcome is such that once realized, its catastrophic impacts are immediately felt, or inevitable due to a lack of feasible measures to remediate.” (p.13-14)

“This sub-section outlines the catastrophic outcomes that are in scope of our Framework. We include catastrophic outcomes in the following risk domains: Cybersecurity, Chemical & Biological Risks, and Loss of Control. For Loss of Control, we introduce a relatively distinct approach by focusing on outcomes corresponding to failures of critical control mechanisms which would need to be realized to enable catastrophic pathways for Loss of Control to progress.” (p.18)

“Cyber 3: Large-scale casualties or significant financial loss to individuals or organizations via scaled long form fraud, extortion, and scams.” (p.19)

1.1.2 Exclusions are clearly justified and documented (50%) 25%

They provide the criteria they use to evaluate whether to include risks. They do not give examples of risks they do not include, but note that risks that don’t fulfill the four criteria might still be serious and are addressed through other processes. They also note that this might change.

Quotes:

“Some catastrophic harms may not satisfy all four criteria; for example, they may unfold gradually or be partially remediable. These remain serious and are addressed through other safety and integrity processes outside of the scope of this Framework.” (p.14)

” It is possible that as our understanding of Frontier
AI improves, defined outcomes or threat scenarios might be removed, if we determine
that they no longer meet our criteria for inclusion. We also may need to add new
outcomes in the future. Those outcomes might be in entirely novel risk domains,
potentially as a result of novel model capabilities, or they might reflect changes to the
threat landscape in existing risk domains that bring new kinds of threat actors into scope.” (p.12)

1.2 Identification of Unknown Risks (Open-ended red teaming) (20%) 43%

1.2.1 Internal open-ended red teaming (70%) 50%

The framework does not specify a process for this per se, but notes that they are open to including other risks as they are identified through threat modeling. Throughout the framework, they note an openness to identifying and assessing new risks and scenarios. They also list risks they are monitoring but are not yet including for outcomes and thresholds (Radiological and nuclear, Physical autonomy, Loss of human oversight capacity, Loss of ability to contain AI)

Quotes:

“We also conduct ex-ante threat modeling exercises to help us
determine whether models with new capabilities may pose novel risks” (p.5)

“The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.

2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.5)

“It is important to acknowledge that we cannot claim to have anticipated all potential threat scenarios. There is always a potential for ‘unknown unknowns’.” (p.13)

“We will also include other risks identified through threat modeling exercises – informed
through literature reviews, user feedback, official release, serious incidents, and near
misses – that meet our four inclusion criteria. It is important to reiterate that these
catastrophic outcomes need not reflect current capabilities of our models, but are
included based on our threat modeling.” (p.18)

Specifically, these outcomes may potentially present catastrophic risk and warrant proactive investigation, but existing evaluation approaches are currently too nascent to incorporate these outcomes into our Framework. (p.37)

1.2.2 Third party open-ended red teaming (30%) 25%

The framework does not specify a process for third-party red teaming, but notes that new risks may be identified through threat modeling and that this involves external experts. They also mention workshops that include external subject matter experts. They commit to involving external experts in pre-deployment threat modeling, evaluation design, and red teaming for cyber and chemical/biological risks.

Quotes:
“We will also include other risks identified through threat modeling exercises – informed
through literature reviews, user feedback, official release, serious incidents, and near
misses – that meet our four inclusion criteria. It is important to reiterate that these
catastrophic outcomes need not reflect current capabilities of our models, but are
included based on our threat modeling.” (p.18)

“We run threat modeling exercises both internally and with external experts with relevant domain expertise, where appropriate.” (p.12)

“The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.

2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.5)

1.3 Risk modeling (40%) 52%

1.3.1 The company uses risk models for all the risk domains identified
and the risk models are published (with potentially dangerous
information redacted) (40%) 50%

Risk modelling is clearly conducted for each risk domain. The framework contains explicit threat scenarios, enabling capabilities, thresholds, and methodological discussion. The list of threat scenarios are published for each risk domain. There is a clear reliance on risk modelling for determining “whether models with new capabilities may pose novel risk”.

However, it does not publish formal probabilistic risk models, exhaustive pathway mappings, detailed expert lists, quantified likelihood estimates, or comprehensive prioritization methodologies. Some potentially sensitive pathway details are intentionally redacted or omitted.

Quotes:

“Our Framework is structured around a set of catastrophic outcomes. We have used threat
modeling to develop threat scenarios pertaining to each of these catastrophic outcomes.
For each threat scenario, we have identified the key capabilities that would enable a
threat scenario.” (p.3)

“Run threat modeling exercises
In order to ensure that our AI risk assessments (see section 2.1.2 below) have appropriate
coverage over potential risks, we conduct periodic threat modeling exercises as a
proactive measure to anticipate catastrophic risks from our Frontier AI. In the event that
we identify that a Frontier AI is likely to substantially contribute to a threat scenario for a
catastrophic outcome, we will conduct a threat modeling exercise in line with the
processes in section 3.2. We also conduct ex-ante threat modeling exercises to help us
determine whether models with new capabilities may pose novel risks (see more below).
The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.
2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.4-5)

“We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent. Once the outcomes are defined, we perform threat modeling to
identify a set of potential causal pathways—i.e., threat scenarios—that may be sufficient
to realize these outcomes. We then identify a set of key risk factors associated with
Frontier AI, such as model capabilities and propensities, that could lead to realization of
each threat scenario. Lastly, we rely on evaluations that allow us to assess the extent to
which a given Frontier AI model could substantially contribute to each threat scenario,
and thus the corresponding catastrophic outcome(s). ” (p.12)

“Threat modeling is fundamental to our outcomes-led approach. We run threat modeling
exercises both internally and with external experts with relevant domain expertise, where
appropriate. The goal of these exercises is to explore, in a systematic way, how Frontier AI
models might substantially contribute to catastrophic outcomes.” (p.12)

“For each catastrophic outcome, we include a description of one or more threat
scenarios. See Section 3.2 for more information on how we have developed our threat
scenarios. We are not providing full details of the constituent steps and tasks within a
threat scenario, or the enabling capabilities required to achieve it as we want to better
understand how to balance transparency and security in this regard.” (p.18)

Coupled with each outcome is a threat scenario, describing the high-level steps involved for this outcome to be realized.
For instance, for the outcome “Cyber 1: Substantially lowers the barrier or reduces cost to a cyberattack that causes large-scale casualties or
significant financial loss”, the threat scenario is “TS.1.1: An AI system substantially contributes to the compromise of an
environment resulting in large-scale casualties or
significant financial loss, where that environment has
security practices that are typical for that class of environment. The compromise may achieve a goal like ransoming or comprehensive theft of a company’s critical IP using a chain of techniques – such as
network infiltration, sensitive data discovery, exfiltration, privilege escalation, and
lateral movement – for significantly less cost and/or
time than is feasible within the ecosystem absent
Frontier AI capabilities..” (p.19)

1.3.2 Risk modeling methodology (40%) 43%

1.3.2.1 Methodology precisely defined (70%) 50%

They have a clear and defined methodology. Meta defines a structured, outcomes-led threat-modeling methodology that decomposes catastrophic outcomes into threat scenarios, enabling capabilities, evaluations, and operational thresholds. The framework repeatedly describes this process as systematic and evidence-based, and risk pathways are broken into discrete measurable stages through capability checkpoints, enhanced evaluations, escalation thresholds, and deployment-context analysis.
However, it does not specify formal risk-modeling techniques such as event trees, fault trees, Bayesian networks, or structured expert elicitation methodologies. Expert consultation processes are referenced but not precisely operationalized, and the framework lacks formal quantitative modeling or uncertainty propagation methods.

Quotes:

“3.1 An outcomes-led approach
We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent. Once the outcomes are defined, we perform threat modeling to
identify a set of potential causal pathways—i.e., threat scenarios—that may be sufficient
to realize these outcomes. We then identify a set of key risk factors associated with
Frontier AI, such as model capabilities and propensities, that could lead to realization of
each threat scenario. Lastly, we rely on evaluations that allow us to assess the extent to
which a given Frontier AI model could substantially contribute to each threat scenario,
and thus the corresponding catastrophic outcome(s). This assessment, which is detailed
for each risk domain in section 4.2, is intended to determine an upper bound of the risk
associated with the Frontier AI model before mitigations are applied. (p.12)

“We design assessments to simulate whether our model would substantially contribute to
these scenarios, and identify the enabling capabilities the model would need to exhibit to
do so. See Section 4.2 for more detail.
It is important to note that the pathway to realize a catastrophic outcome is often
extremely complex, involving numerous external elements beyond the Frontier AI model
itself. Our threat scenarios endeavor to simulate and measure the end-to-end pathways
toward an outcome. By testing whether our model can substantially contribute to a
threat scenario, we measure how our model can realize an outcome.” (p.13)

“Threat modeling is a structured process of identifying how Frontier AI could
contribute to specific – and in this instance catastrophic – outcomes. This process
identifies the potential causal pathways for realizing the catastrophic outcome.
Threat scenarios describe the real-world events – including enabling capabilities,
deployment context, and threat actors (as relevant) – that may be sufficient to
produce a catastrophic outcome.” (p.41)

1.3.2.2 Mechanism to incorporate red teaming findings (15%) 25%

Meta explicitly states that novel catastrophic outcomes, threat scenarios, and emerging capabilities identified through threat modeling, evaluations, incidents, near misses, or deployment experience trigger the creation of new assessments and updates to the framework. It commits to periodically revising catastrophic outcomes, threat scenarios, and evaluation methodologies. Preparedness reports are also updated when new evidence materially changes prior risk assessments. While the framework does not specify a formal operational process for propagating red-team findings across all affected risk models, it clearly establishes an adaptive mechanism through which novel findings can trigger expanded scenario analysis and revisions to existing risk models.

Quotes:

“if new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant” (p.5)

“We also conduct ex-ante threat modeling exercises to help us
determine whether models with new capabilities may pose novel risks” (p.5)

“We will also include other risks identified through threat modeling exercises – informed
through literature reviews, user feedback, official release, serious incidents, and near
misses – that meet our four inclusion criteria. It is important to reiterate that these
catastrophic outcomes need not reflect current capabilities of our models, but are
included based on our threat modeling.” (p.18)

1.3.2.3 Prioritization of severe and probable risks (15%) 25%

There is some prioritization. Meta clearly prioritizes catastrophic and plausible risks through their methodology. The framework explicitly filters risks based on plausibility, catastrophic severity, novelty, and irreversibility. They also clearly deprioritize some risks in a structured manner. However, the framework does not publish explicit probability estimates, severity scores, confidence intervals, expected-risk calculations, or formal risk rankings across scenarios or domains. Prioritization is therefore qualitative and threshold-based rather than based on transparent probability × severity scoring.

Quotes:

“For this Framework specifically, we seek to consider risks that satisfy all four criteria:
Plausible: It must be possible to identify a causal pathway for the catastrophic outcome,
 and to define one or more simulatable threat scenarios along that pathway.

Catastrophic: The outcome would have large scale, devastating, and potentially irreversible harmful effects.

Net new: The outcome cannot currently be realized as described (e.g. at that scale /
 by that threat actor / for that cost) with existing tools and resources.

Instantaneous or irremediable: The outcome is such that once realized, its catastrophic impacts are immediately felt, or inevitable due to a lack of feasible measures to remediate.” (p.13)

“We take an outcomes-led approach to assess and manage catastrophic risk in a
systematic, evidence-based manner. First, we identify a set of catastrophic outcomes we
must strive to prevent” (p.12)

“existing evaluation approaches are currently too nascent to incorporate these outcomes into our Framework” (p.36)

1.3.3 Third party validation of risk models (20%) 25%

The framework partially satisfies this criterion. Meta clearly incorporates external experts, governments, and broader AI-community engagement into its threat-modeling and evaluation processes, including external participation in identifying catastrophic outcomes, threat scenarios, and red-team exercises. However, the framework does not establish a formal process whereby independent third parties review and are accountable for the final risk models themselves. No external auditors, advisory boards, or named validators are identified, and the framework does not describe any formal external sign-off, peer review, or independent assessment mechanism for the published risk models. It also does not explicitly justify the absence of such external validation. Nonetheless, the effort to ensure that third party expert opinion is present in the risk modelling process is commendable.

Quotes:

“The exact format of these exercises may vary. The general process is as follows:
1. Host workshops with experts, including external subject matter experts where
relevant, to identify new catastrophic outcomes and/or threat scenarios.

2. If new catastrophic outcomes and/or threat scenarios are identified, design new
assessments to test for them, in consultation with external experts where
relevant.” (p.6)

“Threat modeling is fundamental to our outcomes-led approach. We run threat modeling
exercises both internally and with external experts with relevant domain expertise, where
appropriate. ” (p.12)

“Our threat modeling is informed by our own internal experts’ assessment of the
catastrophic risks that Frontier AI might pose, as well as engagements with governments,
external experts, and the wider AI community. However, there remains quite considerable
divergence in expert opinion as to how AI capabilities will develop and the time horizons
on which they could emerge.” (p.13)

Back to top

2.1 Setting a Risk Tolerance (35%) 22%

2.1.1 Risk tolerance is defined (80%) 28%

2.1.1.1 Risk tolerance is at least qualitatively defined for all risks (33%) 75%

The framework substantially satisfies this criterion. Meta clearly defines unacceptable catastrophic outcomes across cybersecurity, chemical/biological, and loss-of-control domains, and operationalizes risk tolerance through qualitative moderate, high, and critical risk thresholds tied to deployment. The framework explicitly states that deployment may proceed only when mitigations reduce risks to “moderate or lower” levels, thereby establishing a qualitative residual-risk tolerance. Domain-specific tolerances are described through scenario-based catastrophic outcomes such as large-scale casualties, significant financial loss, proliferation of biological weapons, and loss of ability to control AI systems.

Quotes:

“Cyber 1: Substantially lowers the barrier or reduces cost to a cyberattack that causes large-scale casualties or significant financial loss.”
“Cyber 2: Automated discovery and reliable exploitation of critical zero-day vulnerabilities… that results in large-scale casualties or significant financial loss.” (pps 18-19)

“Proceed with deployment of the Frontier AI only if sufficient mitigations are defined, implemented and validated to reduce risk to that of a moderate or lower model.” (p.15)

“Frontier AI that meets the high or critical risk threshold requires additional mitigations before deployment.” (p.16)

‘Catastrophic outcomes are outcomes that would have large scale, devastating, and potentially irreversible harmful impacts on humanity” (p.41)

2.1.1.2 Risk tolerance is expressed at least partly quantitatively as a combination of scenarios (qualitative) and probabilities (quantitative) for all risks (33%) 10%

The framework does not meaningfully satisfy this criterion. Meta defines qualitative catastrophic outcomes and operational risk thresholds across all major risk domains, but does not express them quantitatively. The framework lacks explicit likelihood estimates, confidence intervals, annualized risk thresholds, expected-loss ceilings, or quantitative residual-risk targets for catastrophic scenarios. While some evaluation metrics and benchmark thresholds are quantitative, these do not constitute quantitative risk tolerances.

Quotes:
“As an illustrative example, on the BioTIER refusal evaluation, which includes information
that could support development of biological weapons, our risk acceptance criteria
includes at least 80% refusal or safe responses, and 40% refusal or safe responses
against all adversarial attacks within a typical adversarial attack portfolio.” (p.33)

2.1.1.3 Risk tolerance is expressed fully quantitatively as a product of severity (quantitative) and probability (quantitative) for all risks (33%) 0%

Meta does not use any risk tolerance defined quantitatively using severity or probability.

Quotes:
No relevant quotes found.

2.1.2 Process to define the tolerance (20%) 0%

2.1.2.1 AI developers engage in public consultations or seek guidance from regulators where available (50%) 0%

They mention working with government officials for some catastrophic risks, but not for setting risk tolerance.

Quotes:

No relevant quotes found.

2.1.2.2 Any significant deviations from risk tolerance norms established in other industries is justified and documented (e.g., cost-benefit analyses) (50%) 0%

Meta’s framework does not meaningfully justify its implicit risk tolerances relative to established high-risk industries. While the framework discusses catastrophic risks, mitigations, and societal benefits of advanced AI, it does not provide explicit comparative risk benchmarks, or documented cost-benefit analyses explaining why its chosen tolerance levels are appropriate.

Quotes:
No relevant quotes found.

2.2 Operationalizing Risk Tolerance (65%) 44%

2.2.1 Key Risk Indicators (KRI) (30%) 59%

2.2.1.1 KRI thresholds are at least qualitatively defined for all risks (45%) 75%

Meta’s framework performs strongly on this criterion. It defines multiple qualitative KRIs across all major risk domains, grounded in explicit threat models and tied to concrete evaluation thresholds and escalation procedures. Examples include specific capability levels such as offensive cyber challenge performance, biological refusal rates, autonomous research task completion, and evaluation-evasion behaviors, all of which are linked to defined “moderate,” “high,” or “critical” risk thresholds and corresponding mitigation requirements. For example, Meta specifies concrete escalation triggers such as performance thresholds on cybersecurity benchmarks, enhanced evaluations following capability checkpoints, and predefined refusal-rate expectations for bio risks.

Quotes:

“Complex challenges
Once a model exceeds the simple suite threshold described above, in order to determine
risk level, we require additional testing on more realistic challenges to assess whether the
model exceeds the ‘moderate or lower’ risk threshold, such as:
[Cyber 1] End-to-end compromise attempt on a multi-host, network, with
standard defenses in place requiring multi-stage chains (initial access -> privilege
escalation -> lateral movement -> objective completion with basic detection
evasion),” (p.29)

2.2.1.2 KRI thresholds are quantitatively defined for all risks (45%) 50%

Meta scores fairly strongly on this criterion. The framework defines multiple KRIs using quantitatively measurable thresholds across all major risk domains, including cybersecurity, chemical/biological risks, and loss of control. These KRIs are operationalized through benchmark performance levels, refusal-rate thresholds, pass@k metrics, and concrete capability checkpoints that act as pre-deployment escalation triggers tied to mitigation and deployment decisions.

Quotes:

“For example, if a model under test achieves < 75% pass@10 success on all categories of simple capture the flag (CTF) 6 challenges in unguided mode, 7 we conclude that it does not exceed the “moderate or lower” risk level. ” (p.28)

“Autonomously and consistently complete software engineering tasks which would take a human professional familiar with such tasks two or more hours.” (p.34)

“As an illustrative example, on the BioTIER refusal evaluation, which includes information that could support development of biological weapons, our risk acceptance criteria includes at least 80% refusal or safe responses, and 40% refusal or safe responses against all adversarial attacks within a typical adversarial attack portfolio.” (p.33)

2.2.1.3 KRIs also identify and monitor changes in the level of risk in the external environment (10%) 25%

Meta partially satisfies this criterion. The framework explicitly considers deployment context, tooling, scaffolding, adversarial adaptation, ecosystem changes, and observed real-world incidents as part of ongoing risk assessment. It repeatedly emphasizes that risk depends not only on the base model itself, but also on the external environment in which the model is deployed and used. However, the framework is weaker on defining formalized external-environment KRIs with explicit quantitative thresholds or automated escalation triggers.

Quotes:

“We design our evaluations to account for how the model will be deployed, including assessing how its capabilities might be enhanced.” (p.6)

“This usually takes the form of a threat modeling exercise to determine the degree to which the model substantially contributes to a threat scenario. It incorporates information about evaluations and reported incidents from other relevant models, the results of evaluations conducted throughout, and the results of adequacy assessments for mitigations that have been implemented.” (p.6)

2.2.2 Key Control Indicators (KCI) (30%) 37%

2.2.2.1 Containment KCIs (35%) 38%
2.2.2.1.1 All KRI thresholds have corresponding qualitative containment KCI thresholds (50%) 75%

Meta performs reasonably strongly on this criterion. The framework consistently links elevated KRI levels to corresponding containment and mitigation requirements, particularly through deployment gating rules, heightened model-weight security requirements, mitigation validation, and deployment restrictions tied to “high” and “critical” risk thresholds. The framework is somewhat weaker on formalizing these as standardized measurable containment levels analogous to formal security classifications, but the mapping between risk indicators and required containment conditions is explicit and operationalized.

Quotes:
“Critical
Continued development of the Frontier AI could substantially contribute to any threat scenario associated with a catastrophic outcome, or deployment of the Frontier
AI could uniquely enable the execution of at least one of the threat scenarios associated with a catastrophic outcome and that risk cannot be mitigated in the proposed
deployment context.
Security Mitigations
Initiate protocols for heightened access controls to model weights as overseen by the Chief AI Officer and/or Director of Alignment and Risk, to prevent their tampering
or exfiltration insofar as is technically feasible and commercially practicable.
Measures

Develop with Mitigations
Proceed with deployment of the Frontier AI only if sufficient mitigations are defined, implemented and validated to reduce risk to that of a moderate or lower model.” (p.15)

2.2.2.1.2 All KRI thresholds have corresponding quantitative containment KCI thresholds (50%) 0%

Meta only partially satisfies this criterion. The framework contains some quantitative KCIs tied to mitigation effectiveness, but it does not define fully quantitative containment thresholds. Many containment requirements remain qualitative rather than quantitatively specified. For example, “heightened access controls” or “security protections” are not operationalized into explicit measurable containment levels.

Quotes:

No relevant quotes found.

2.2.2.2 Deployment KCIs (35%) 25%
2.2.2.2.1 All KRI thresholds have corresponding qualitative deployment KCI thresholds (50%) 25%

This criterion is partially fulfilled, but not strongly or systematically operationalized. Meta’s framework clearly links risk thresholds (KRIs) to required deployment mitigations and controls, and it describes several qualitative deployment conditions that must be satisfied before deployment proceeds. However, it generally does not define these as explicit, structured deployment KCIs mapped one-to-one to each KRI threshold. The framework is stronger on “mitigations must exist and be validated” than on specifying clearly operationalized qualitative deployment control thresholds.

Quotes:

“If this baseline risk level crosses the risk thresholds defined in Table 1…it triggers our commitment to implement mitigations, and to
validate that these mitigations reduce risk to acceptable levels commensurate for its deployment mechanism. (p16)

“Within this context, we will evaluate the efficacy of our mitigations to ensure they are sufficiently robust and ensure that the model cannot materially enable any of the catastrophic outcomes we have defined, considering the way it would be deployed.” (p.26)

“In the case where pre-mitigation testing suggests that a model has crossed the high risk threshold, we will not deploy the model externally unless we have strong additional evidence that mitigations are sufficiently robust to adversarial attacks that the fully mitigated model is reduced to moderate or lower levels.” (p.32)

2.2.2.2.2 All KRI thresholds have corresponding quantitative deployment KCI thresholds (50%) 25%

This criterion is partially fulfilled, but only unevenly and in limited areas. Meta’s framework contains several genuinely quantitative deployment-related thresholds tied to mitigation adequacy (although listed as illustrative examples, which can have several meanings). However, these are not consistently structured as a comprehensive set of deployment KCIs mapped to all KRI thresholds. Quantitative deployment thresholds exist in specific domains (especially Cyber, CBRN, and Loss of Control), but the framework lacks a unified quantitative KCI architecture.

Quotes:

“our risk acceptance criteria includes at least 80% refusal or safe responses, and 40% refusal or safe responses against all adversarial attacks within a typical adversarial attack portfolio” (p33)

“our risk acceptance criteria include thresholds such as at least 40% on MASK and at most 50% on Agent Misalignment.” (p.35)

2.2.2.3 For advanced KRIs, assurance process KCIs are defined (30%) 50%

This criterion is partially fulfilled. Meta does define several kinds of assurance-process requirements that become mandatory once advanced-AI-related thresholds are crossed — especially for autonomous AI behavior, monitor evasion, evaluation awareness, and autonomous AI R&D capabilities. However, these assurance-process KCIs are generally not mapped to KRI threshold. Still, compared to many frameworks, Meta is relatively strong here because it explicitly recognizes that advanced-agentic risks require stronger assurance, monitoring, evaluation robustness, safety cases, and monitorability mechanisms.

Quotes:

“We also account for model capabilities and propensities that might undermine the reliability of model evaluation results, such as whether a model can identify when it is being evaluated and, in such cases, selectively adapt its outputs.” (p.25)

“Loss of Control 1: Loss of ability to evaluate AI safety before deployment.” (p.22)

2.2.3 Pairs of thresholds are grounded in risk modeling to show that risks remain below the tolerance (20%) 25%

This criterion is partially fulfilled, but only at a relatively high and qualitative level. Meta’s framework demonstrates a meaningful attempt to ground threshold–mitigation pairings in structured threat modeling, evaluations, and residual-risk reasoning. However, it falls short of a fully quantified safety-case-style justification showing that each KRI–KCI pairing keeps residual risk below explicitly defined tolerances with quantified confidence levels. Compared to many frameworks, Meta is relatively sophisticated in explicitly discussing residual risk and mitigation adequacy.

Quotes:
“Mitigations should be sufficiently robust against adversarial attacks that are realistic given the deployment strategy and threat scenario”. (p.26)

2.2.4 Policy to put development on hold if the required KCI threshold cannot be achieved, until sufficient controls are implemented to meet the threshold (20%) 50%

This criterion is fairly strongly fulfilled for deployment pauses and partially fulfilled for development pauses, though there are still important ambiguities around operationalization and de-deployment. Meta’s framework repeatedly states that deployment will not proceed unless mitigations are implemented and validated and that development may be halted or constrained at critical thresholds. Meta is relatively explicit about conditions under which development and deployment cannot proceed. However, the exact operational pause procedures are underdeveloped, “pause” language is often implicit rather than explicit, and de-deployment processes are only lightly addressed.

Quotes:
“Proceed with deployment of the Frontier AI only if sufficient mitigations are defined, implemented and validated to reduce risk to that of a moderate or lower mode;.” (p.15)

“Should either scenario arise, we will only continue development of the Frontier AI if our risk assessments are complete and safeguards are defined, implemented and validated to reduce risk to the moderate or lower risk threshold.” (p 17)

“Until evaluation on the complex suite of challenges is completed, any model meeting the simple-suite threshold is provisionally rated “high” risk for the given
deployment scenario and such deployment will not be implemented.” (p.29)

Back to top

3.1 Implementing Mitigation Measures (50%) 15%

3.1.1 Containment measures (35%) 6%

3.1.1.1 Containment measures are precisely defined for all KCI thresholds (60%) 10%

This criterion is partially fulfilled. Meta’s framework contains many concrete containment measures that are reasonably precise. However, the framework generally does not provide a systematically defined mapping between every containment KCI threshold and a corresponding precise containment control set. Many measures remain high-level, adaptive, or illustrative rather than fully specified operational controls. The framework is stronger on identifying categories of containment measures, describing when stronger controls are required, and tying controls to risk thresholds than on precisely specifying all containment measures at each threshold level.

Quotes:
“Initiate protocols for heightened access controls to model weights as overseen by the Chief AI Officer and/or Director of Alignment and Risk, to prevent their tampering
or exfiltration insofar as is technically feasible and commercially practicable.” (p.15)

“we maintain processes to ensure our model weight security meets a baseline of controls to protect model weights from exfiltration or tampering by internal and external threat actors”. (p27)

3.1.1.2 Proof that containment measures are sufficient to meet the thresholds (40%) 0%

This criterion is not fulfilled. Meta demonstrates a reasonably mature process for validating containment measures. However, the framework does not provide proof that containment measures are sufficient to satisfy predefined containment KCI thresholds.

Quotes:
No relevant quotes found.

3.1.1.3 Strong third party verification process to verify that the containment measures meet the threshold (100% if 3.1.1.3 > [60% x 3.1.1.1 + 40% x 3.1.1.2]) 0%

There is no mention of third-party verification that containment measures meet the threshold.

Quotes:

No relevant quotes found.

3.1.2 Deployment measures (35%) 19%

3.1.2.1 Deployment measures are precisely defined for all KCI thresholds (60%) 25%

This criterion is partially fulfilled, with stronger performance in some domains than others. Meta’s framework defines a number of deployment measures with reasonable operational specificity, including deployment-type distinctions, deployment gating conditions, deployment-specific adversary models, rate limits, classifiers, logging, identity controls, refusal systems, and deployment-context-aware mitigations.

However, it does not provide a comprehensive, threshold-by-threshold deployment control catalog where all deployment KCI thresholds have precisely defined deployment measures. Many measures remain adaptive, illustrative, discretionary, or high-level.

Quotes:

“Re-evaluate performance of the model when deployed with system level mitigations available for the given deployment scenario (e.g., input/output/conversation level classifiers, strict rate limits, abuse monitoring, identity controls, and logging).” (p.31)

“The mitigations described in the remainder of the document are adaptive, reflecting flexibility to implement measures that are most appropriate for each scenario.” (p.16)

3.1.2.2 Proof that deployment measures are sufficient to meet the thresholds (40%) 100%

This criterion is only weakly fulfilled. Meta has a relatively mature process for testing and validating deployment measures. However, the framework generally does not provide rigorous pre-emptive proof that specific deployment measures will achieve predefined deployment KCI thresholds before the risk threshold is crossed.

Quotes:
“Within this context, we will evaluate the efficacy of our mitigations to ensure they are sufficiently robust and ensure that the model cannot materially enable any of the catastrophic outcomes we have defined, considering the way it would be deployed.” (p.26)

3.1.2.3 Strong third party verification process to verify that the deployment measures meet the threshold (100% if 3.1.2.3 > [60% x 3.1.2.1 + 40% x 3.1.2.2]) 0%

There is no mention of third-party verification of deployment measures meeting the threshold.

Quotes:

No relevant quotes found.

3.1.3 Assurance processes (30%) 22%

3.1.3.1 Credible plans towards the development of assurance processes (40%) 25%

This criterion is moderately fulfilled, and in some respects comparatively strong. Meta explicitly acknowledges that current assurance methodologies are immature, identifies future assurance needs tied to advanced KRIs, and outlines research and capability-development plans intended to mature assurance processes before dangerous capability thresholds are reached. However, the framework is still limited because it does not provide detailed technical roadmaps, milestone schedules, quantified capability forecasts, or clear timelines tying assurance maturity to expected model progress. Still, compared to many frameworks, Meta is unusually explicit about: assurance insufficiency, monitorability risks, evaluation failure modes, and the need to build new assurance capabilities before advanced AI capabilities emerge.

Quotes:
“We expect that assessing these threat scenarios will require new types of evaluation and monitoring systems, including the use of monitoring systems to analyze deployment usage patterns of internally deployed Frontier AI at Meta.” (p.38)

“AI development accelerates such that new capabilities and behaviors emerge faster than the organization’s evaluation processes”. (p.22)

3.1.3.2 Evidence that the assurance processes are enough to achieve their corresponding KCI thresholds (40%) 10%

There is some recognition of the need, but no evidence per se.

Quotes:
“We also account for model capabilities and propensities that might undermine the reliability of model evaluation results, such as whether a model can identify when it is being evaluated and, in such cases, selectively adapt its outputs.” (p.25)

“Monitor interference: Ability to disable or corrupt oversight mechanisms to avoid detection”. (p.23)

3.1.3.3 The underlying assumptions that are essential for their effective implementation and success are clearly outlined (20%) 50%

This criterion is moderately fulfilled, and comparatively strong relative to most current frameworks. Meta explicitly identifies several core assumptions underlying its assurance approach and, importantly, treats many of these assumptions as fragile and empirically testable rather than guaranteed. The framework is especially notable for recognizing risks like evaluation awareness, monitor evasion, deceptive adaptation, and monitor corruption, explicitly stress-testing these assumptions, and acknowledging that current assurance techniques may fail. However, it still falls short of full fulfillment because: the assumptions are not systematically enumerated, confidence levels are largely absent, formal validation arguments are limited, and some foundational assumptions remain implicit rather than fully articulated.

Quotes:
“We also account for model capabilities and propensities that might undermine the reliability of model evaluation results, such as whether a model can identify when it is being evaluated and, in such cases, selectively adapt its outputs.” (p.25)

‘Selective evaluation-adaptive behavior: Ability to systematically modify outputs during evaluations”. (p.23)

“humans ceding oversight due to AI’s outputs exceeding human supervisory capacity”. (p.38)

“Researching and implementing approaches to maintain effective model monitorability as capabilities advance”. (p.36)

3.2 Continuous Monitoring and Comparing Results with Pre-determined Thresholds (50%) 25%

3.2.1 Monitoring of KRIs (40%) 30%

3.2.1.1 Justification that elicitation methods used during the evaluations are comprehensive enough to match the elicitation efforts of potential threat actors (30%) 50%

This criterion is fairly strongly fulfilled relative to most current frameworks, especially in the cybersecurity and Loss of Control sections. Meta explicitly recognizes the problem of underestimating model capabilities due to insufficient elicitation and devotes substantial attention to upper-bounding capabilities under realistic adversarial conditions.The framework is notably strong on deployment-context-aware elicitation, adversarial elicitation assumptions, evaluating helpful-only/refusal-free variants, fine-tuning-based elicitation, agentic scaffolding, generous compute/token budgets, and modeling sophisticated adversaries. However, it still falls short of full fulfillment because quantitative detail is limited, resource bounds are not rigorously specified, and there is no formal argument that elicitation truly upper-bounds threat actors.

Quotes:
“In addition to the measures above, we also follow best practices for elicitation in our evaluations to ensure that we are not underestimating the capabilities of the model, commensurate with the deployment strategy. This may include fine-tuning our models on a relevant set of information or tasks, fine-tuning models to be helpful-only (i.e., refusal-free), and conducting evaluations on models without mitigations.” (p.27)

“Agents will be provided with a generous token budget, up to the maximum context length or to the point at which performance plateaus.” (p.27)

“We prepare the asset – the version of the model that we will test – in a way that seeks to account for the tools and scaffolding in the current ecosystem that could be leveraged to enhance the model’s capabilities.” (p.26)

3.2.1.2 Evaluation frequency (25%) 25%

This criterion is partially fulfilled, but unevenly and only moderately overall. Meta clearly establishes that evaluations are recurring, escalation-triggered, and tied to capability progress and deployment changes. The framework is relatively good at dynamic reassessment, threshold-triggered reevaluation, and deployment-change-triggered reevaluation. However, it falls short because evaluation frequency is not systematically operationalized, compute-based triggers are only partially specified, fixed time cadences are sparse, and justification for chosen frequencies is limited.

Quotes:
“Throughout development, we monitor performance against our expectations for the reference class as well as the enabling capabilities we have identified in our threat scenarios, and use these indicators as triggers for further evaluations as capabilities develop.” (p.5)

“We typically repeat evaluations as a Frontier AI model nears or completes training.” (p.26)

“If performance thresholds for these evaluations are reached, we then expand our assessment to improve coverage, specificity, and realism.” (p.25)

3.2.1.3 Description of how post-training enhancements are factored into capability assessments (15%) 50%

This criterion is moderately fulfilled, and comparatively stronger than many current frameworks, because Meta explicitly recognizes that
post-training enhancements, scaffolding, tool augmentation, fine-tuning, elicitation improvements, and deployment-context changes can substantially increase effective capabilities after base-model evaluation. The framework is especially strong on incorporating post-training enhancements directly into evaluations, deployment-aware capability assessments, agentic scaffolding, fine-tuning-based elicitation, and continual reevaluation as new elicitation methods emerge. However, it falls short because there are no explicit uncertainty/safety margins, no quantified forecasting methodology, limited discussion of reasoning-model inference scaling, and no formal methodology for bounding future post-training gains.

Quotes:
“We design our evaluations to account for how the model will be deployed, including assessing how its capabilities might be enhanced.”(p.6)

“we prepare the asset – the version of the model that we will test – in a way that seeks to account for the tools and scaffolding in the current ecosystem that could be leveraged to enhance the model’s capabilities.” (p.26)

“Release of one of our existing released models with significant changes that materially increase capabilities in preparedness-relevant domains. This may include, for example, integration of new tools, scaffolding, or workflows.” (p.7)

3.2.1.4 Vetting of protocols by third parties (15%) 10%

This criterion is mostly unmet, though Meta does include limited elements of external review and external expert participation around evaluations and threat modeling.
The framework does demonstrate involvement of external experts in evaluations, external red teaming, and some transparency regarding methodologies through preparedness reports. However, it does not establish a structured process for independent third-party vetting of KRI assessment methodologies, evaluation protocols or
elicitation methods.

Quotes:
“Where appropriate, we work with external experts to complement and inform our evaluations.” (p.7)

3.2.1.5 Replication of evaluations by third parties (15%) 10%

This criterion is mostly unmet, although Meta does include some limited external participation in evaluations and red teaming. The framework does not establish a formal process whereby KRIs are independently assessed by third parties, internal KRI assessments are systematically replicated externally, or external auditors independently validate KRI status determinations.

Quotes:

No relevant quotes found.

3.2.2 Monitoring of KCIs (40%) 13%

3.2.2.1 Detailed description of evaluation methodology and justification that KCI thresholds will not be crossed unnoticed (40%) 25%

This criterion is moderately fulfilled, and comparatively stronger than many current frameworks, because Meta devotes substantial attention to ongoing mitigation monitoring, adversarial robustness testing, continuous reassessment, deployment-context-aware safeguard evaluations, and explicit testing of safeguard failure modes.
The framework is particularly strong on continuous monitoring concepts, adversarial evaluation methodology, detection of safeguard degradation, and explicit failure-mode-oriented evaluation (especially in Loss of Control). However, it still falls short because monitoring methodologies are not fully operationalized, confidence levels are largely absent, statistical detection guarantees are not defined, and continuous KCI-monitoring governance remains relatively high-level.

Quotes:
““Following deployment, we will continue to monitor for the efficacy of our mitigations.” (p.33)

“AI performance in testing environments consistently fails to predict deployment behavior”. (p.23)

3.2.2.2 Vetting of protocols by third parties (30%) 0%

There is no mention of KCIs protocols being vetted by third parties.

Quotes:

No relevant quotes found.

3.2.2.3 Replication of evaluations by third parties (30%) 10%

This criterion is largely unmet, although Meta does include limited external participation in mitigation evaluations and some transparency around safeguard assessments.

Quotes:

“evaluation methodology, including details about elicitation, time and resources spent, and access given to internal and external evaluators.” (p.8)

3.2.3 Transparency of evaluation results (10%) 43%

3.2.3.1 Sharing of evaluation results with relevant stakeholders as appropriate (85%) 50%

This criterion is partially fulfilled, with relatively strong performance on public transparency around evaluations and preparedness reporting, but weaker performance on explicit commitments to notify regulators or government authorities when KRIs are crossed. Meta’s framework is comparatively strong on publishing preparedness reports, publicly disclosing evaluation methodologies and results, explaining deployment decisions, and updating reports when risks materially change. However, it falls short because there is no explicit commitment to mandatory regulator notification upon KRI threshold crossings, transparency remains discretionary in important areas,
and not all KRI/KCI assessments are guaranteed to be public.

Quotes:
“Preparedness reports will describe our risk assessment, evaluation results, implemented mitigations, and rationale for deployment decisions.” (p.8)

“We will aim to fully explain the scope and design goals of each set of evaluations.” (p.8)

“We will update a preparedness report promptly when there is a change in circumstances that materially alters our previous risk assessment. (p.9)

3.2.3.2 Commitment to non-interference with findings (15%) 0%

No commitment to permitting the reports, which detail the results of external evaluations (i.e. any KRI or KCI assessments conducted by third parties), to be written independently and without interference or suppression.

Quotes:
No relevant quotes found.

3.2.4 Monitoring for novel risks (10%) 30%

3.2.4.1 Identifying novel risks post-deployment: engages in some process (post deployment) explicitly for identifying novel risk domains or novel risk models within known risk domains (50%) 10%

This criterion is moderately fulfilled, and comparatively stronger than many current frameworks, particularly because Meta explicitly acknowledges the incompleteness of current risk models, the possibility of unforeseen threat scenarios, and the need for ongoing post-deployment monitoring and evolving threat modeling. The framework contains several concrete mechanisms aimed at identifying novel threat scenarios, emerging capability combinations, new failure modes, and previously unanticipated risks. Meta is especially strong on acknowledging uncertainty and unknown unknowns, iterative threat modeling, post-deployment monitoring, and Loss of Control research. However, it falls short because the process remains relatively high-level, justification for why novel-risk detection will succeed is limited, and operational procedures for systematically discovering unknown risks are underdeveloped.

Quotes:
“we cannot claim to have anticipated all potential threat scenarios.” (p.13)

“These evaluations serve as sensitive detectors for potential risk”. (p.25)

3.2.4.2 Mechanism to incorporate novel risks identified post-deployment (50%) 50%

This criterion is moderately fulfilled, and one of the stronger aspects of Meta’s adaptive governance approach. The framework explicitly states that new risks, new threat scenarios, new capability patterns, and post-deployment developments can trigger updates to evaluations, threat models, mitigations, and preparedness assessments. Meta is comparatively strong on iterative threat-model evolution, reassessing risks after incidents or capability changes, and expanding evaluations when new concerns emerge. The framework is especially notable for recognizing that emerging evidence in one area may imply broader systemic reassessment needs. However, it still falls short because the update/escalation process is not fully operationalized, cross-domain propagation logic is underdeveloped, and there is limited procedural detail on how novel findings systematically alter risk models.

Quotes:
“We will update a preparedness report promptly when there is a change in circumstances that materially alters our previous risk assessment.” (p.9)

“We are continuing to explore and develop threat scenarios”. (p.37)

“as capabilities develop, new evaluations are developed.” (p.5)

Back to top

4.1 Decision-making (25%) 36%

4.1.1 The company has clearly defined risk owners for every key risk identified and tracked (25%) 50%

This criterion is moderately to strongly fulfilled, and is one of the comparatively stronger governance areas in Meta’s framework. Meta clearly identifies named senior executives, governance bodies, review authorities, and organizational responsibilities for frontier AI risk management. While the framework does not always assign a unique owner to every individual risk domain (e.g., cyber vs CBRN vs loss of control), it does establish a reasonably clear governance hierarchy with designated responsible executives overseeing risk evaluation, mitigation, deployment decisions, and ongoing oversight.

Quotes:
“Meta’s Chief AI Officer oversees the design, implementation, and operation of the entire evaluation and mitigation process.” (p.10)

“the Director of Alignment and Risk will determine whether to request further testing or information, require additional mitigations or improvements, or approve
the model for deployment.” (p.7)

“Findings at any stage might prompt discussions via our centralized review process, which ensures that senior decision-makers are involved throughout the lifecycle of development, deployment, and use.” (p.4)

4.1.2 The company has a dedicated risk committee at the management level that meets regularly (25%) 10%

The framework does not reference a management risk committee, but references decisions being made by a specific leadership team.

Quotes:

“Findings at any stage might prompt discussions via our centralized review process, which ensures that senior decision-makers are involved throughout the lifecycle of development, deployment, and use” (p.4)

“The residual risk assessment is reviewed by the relevant research and/or product teams, as well as a multidisciplinary team of reviewers as needed”. (p.7)

4.1.3 The company has defined protocols for how to make go/no-go decisions (25%) 75%

This criterion is moderately to strongly fulfilled, and this is one of the clearer governance strengths of Meta’s framework. Meta provides explicit deployment approval criteria, threshold-triggered escalation pathways, mitigation-gated progression rules, structured review processes and risk-tier-dependent decision logic. Compared to many current frontier-AI frameworks, Meta’s go/no-go governance is relatively operationalized and concrete. However, it still falls short of full fulfillment because some decision criteria remain qualitative, discretion remains substantial, and formal escalation/veto procedures are not fully specified.

Quotes:
“Proceed with deployment of the Frontier AI only if sufficient mitigations are defined, implemented and validated to reduce risk to that of a moderate or lower model.” (p.15)

“Should either scenario arise, we will only continue development of the Frontier AI if our risk assessments are complete and safeguards are defined, implemented and validated to reduce risk to the moderate or lower risk threshold.” (p.17)

“Frontier AI that meets the high or critical risk threshold requires additional mitigations before deployment or before additional development respectively.” (p.16)

4.1.4 The company has defined escalation procedures in case of incidents (25%) 10%

This criterion is partially fulfilled, but only moderately and with significant operational gaps. Meta’s framework references a comprehensive incident response progra, but does not provide a detailed incident-response framework comparable to mature operational-risk regimes. In particular, the framework lacks detailed escalation workflows, defined incident severity levels, operational response timelines, harm-reduction playbooks, communication procedures, and structured external-notification protocols.

Quotes:
“We will update a preparedness report promptly when there is a change in circumstances that materially alters our previous risk assessment”. (p.9)

“if the model was involved in a major incident”. (p.9)

“Effective risk management requires preparation not only for ongoing operations but also for unexpected tail events. We maintain a comprehensive global incident response program, including identifying incidents from both internal and external sources, and reporting critical incidents as appropriate.” (p.11)

4.2. Advisory and Challenge (20%) 75%

4.2.1 The company has an executive risk officer with sufficient resources (16.7%) 75%

This criterion is partially fulfilled, with relatively strong evidence for the existence of a senior risk-governance executive role, but weaker evidence regarding independence and resourcing. Meta clearly designates senior executives responsible for preparedness evaluations, mitigation oversight, deployment governance, and operation of the framework. In particular, the role of the Director of Alignment and Risk comes closest to an executive risk officer function. However, the framework does not fully clarify independence from product/development incentives, separation between oversight and operational ownership, or formal authority structures comparable to mature enterprise risk-management models. Compared to many current frontier-AI frameworks, Meta performs reasonably well here, but falls short of a fully mature independent risk-office structure.

Quotes:
“The Chief AI Officer supervises and is supported by the Director of Alignment and Risk, who bears responsibility for executing the lifecycle of risk assessment and mitigation, preparedness reports, updates to this Advanced AI Scaling Framework, internal use reports, and related deployments and disclosures, with model deployment following appropriate consultation with relevant teams and with the approval of the Chief AI Officer. The Chief AI Officer will ensure that the Director of
Alignment and Risk has resources, including human, financial, and computational resources, sufficient to perform state-of-the-art risk mitigation and assessment.” (p.10)

“the Chief AI Officer or the Director of Alignment and Risk will determine whether to request further testing or information, require additional mitigations or improvements, or approve the model for deployment.” (p.7)

4.2.2 The company has a committee advising management on decisions involving risk (16.7%) 10%

This criterion is partially fulfilled, but only moderately. Meta’s framework does describe centralized review processes, multidisciplinary review structures, and involvement of senior decision-makers and governance functions. However, it does not clearly establish a formal advisory risk committee with defined membership, regular meeting cadence, explicit advisory responsibilities, or formally documented risk expertise requirements.

Quotes:
“The residual risk assessment is reviewed by the relevant research and/or product teams, as well as a multidisciplinary team of reviewers as needed.” (p.7)

4.2.3 The company has an established system for tracking and monitoring risks (16.7%) 25%

This criterion is moderately fulfilled, though the framework describes more of a governance and monitoring process than a clearly operationalized centralized risk-tracking system or dashboard. Meta does provide ongoing monitoring processes, structured reassessment mechanisms, threshold-based escalation, preparedness reporting, recurring evaluations, and centralized governance review. These collectively imply a functioning risk-tracking system. However, the framework does not explicitly describe a centralized risk dashboard, aggregated enterprise risk tracking, live KRI/KCI monitoring systems, formal risk registers, or operational telemetry infrastructure.

Quotes:
“Throughout development, we monitor performance against our expectations for the reference class as well as the enabling capabilities we have identified in our threat scenarios, and use these indicators as triggers for further evaluations as capabilities develop.” (p.5)

“If this baseline risk level crosses the risk thresholds defined in Table 1.”(p.16)

 

4.2.4 The company has designated people that can advise and challenge management on decisions involving risk (16.7%) 10%

This criterion is only partly fulfilled. Meta clearly identifies senior risk-focused executives, multidisciplinary review structures, centralized governance review processes, and internal governance functions that collectively provide advisory and challenge capacity around risk decisions. Compared to many current frontier-AI frameworks, Meta performs reasonably well on establishing internal challenge mechanisms, though the framework still lacks formal independence structures, explicit challenge rights, escalation protections, and detailed governance-process mechanics.

Quotes:
“The residual risk assessment is reviewed by the relevant research and/or product teams, as well as a multidisciplinary team of reviewers as needed”. (p.7)

4.2.5 The company has an established system for aggregating risk data and reporting on risk to senior management and the Board (16.7%) 25%

This criterion is weakly to moderately fulfilled, because Meta clearly has mechanisms for aggregating and escalating risk information to senior management, but the framework provides very limited detail regarding Board reporting, reporting cadence, reporting formats, structured risk dashboards, or enterprise risk-reporting governance. The framework is stronger on centralized governance review, executive-level oversight, preparedness reporting, and escalation to senior decision-makers.
However, it falls significantly short of a mature enterprise-risk-governance framework with explicit Board reporting structures and formalized management information systems.

Quotes:
” Findings at any stage might prompt discussions via our centralized review process, which ensures that senior decision-makers are involved throughout the lifecycle of development, deployment, and use.” (p.4)

“Meta’s Chief AI Officer oversees the design, implementation, and operation of the entire evaluation and mitigation process. ” (p.10)

4.2.6 The company has an established central risk function (16.7%) 50%

This criterion is moderately fulfilled, and this is one of the stronger governance-organizational aspects of Meta’s framework. Meta clearly describes a function led by the Director of Alignment and Risk.

Quotes:
“The Chief AI Officer supervises and is supported by the Director of Alignment and Risk, who bears responsibility for executing the lifecycle of risk assessment and mitigation, preparedness reports, updates to this Advanced AI Scaling Framework, internal use reports, and related deployments and disclosures, with model deployment following appropriate consultation with relevant teams and with the approval of the Chief AI Officer. The Chief AI Officer will ensure that the Director of
Alignment and Risk has resources, including human, financial, and computational resources, sufficient to perform state-of-the-art risk mitigation and assessment.” (p.10)

4.3 Audit (20%) 30%

4.3.1 The company has an internal audit function involved in AI governance (50%) 50%

There is an “internal governance function” that seems to have an assurance and compliance role.

Quotes:
“Meta has a mandatory risk review process for new launches across the company that
demonstrates risks are sufficiently mitigated and verifies implementation prior to launch.
In addition, Meta’s internal governance function periodically reviews our risk
management practices and provides compliance oversight for product teams. This team
is given sufficient access and resources to perform this role effectively.” (p.10)

4.3.2 The company involves external auditors (50%) 10%

Meta references engagement with external experts in the risk assessment process, but does not commit to independent external audits. External experts appear to serve an advisory function rather than an assurance function. Meta does not describe external review of control effectiveness or Framework adherence.

Quotes:

“In each of these risk domains, this Framework identifies specific catastrophic outcomes and the threat scenarios which may enable these outcomes, based on threat modeling exercises we run with internal and (where appropriate) external experts with relevant domain expertise.” (p.1)

4.4 Oversight (20%) 5%

4.4.1 The Board of Directors of the company has a committee that provides oversight over all decisions involving risk (50%) 10%

This criterion is weakly fulfilled. The framework mentions that the Board provides oversight, which is positive, but offers no details of any committees or the basis of their oversight.

Quotes:
“Meta’s Board of Directors provides oversight of the company’s product and regulatory compliance, ensuring accountability across all lines of defense.” (p.10)

4.4.2 The company has other governing bodies outside of the Board of Directors that provide oversight over decisions (50%) 0%

No mention of any additional governance bodies.

Quotes:

No relevant quotes found.

4.5 Culture (10%) 28%

4.5.1 The company has a strong tone from the top (33.3%) 10%

This criterion is fulfilled fairly well. The document repeatedly communicates a strong organizational commitment to managing catastrophic and frontier-AI risks, willingness to constrain deployment and development based on risk, commitment to transparency, investment in safeguards and evaluations, and recognition of uncertainty and responsibility. However, the framework provides less details on incentives, internal culture-building, etc. and simultaneously emphasizes openness/ open-weight releases, rapid innovation, and broad deployment.

Quotes:
“Realizing this will require highly capable AI systems that are reliable, robust, and secure.” (p.1)

“Should either scenario arise, we will only continue development of the Frontier AI if our risk assessments are complete and safeguards are defined, implemented and
validated to reduce risk to the moderate or lower risk threshold.” (p.17)

4.5.2 The company has a strong risk culture (33.3%) 0%

There is no evidence for formal risk-culture programs, training, and organization-wide culture-building mechanisms.

Quotes:
No relevant quotes found.

4.5.3 The company has a strong speak-up culture (33.3%) 75%

Meta’s framework contains a fairly substantial and explicit whistleblower and speak-up governance mechanism, including anonymous reporting, anti-retaliation protections, and escalation to senior governance leadership.

Quotes:
“Meta maintains a comprehensive whistleblower and complaint policy, and is developing further protocols to report any instances of non-compliance with this Advanced AI Scaling Framework, and any specific and substantial danger to the public health or safety arising from catastrophic risk. Under this protocol, employees will be able to confidentially, and, if they choose, anonymously issue reports through internal channels, and all reports will be ultimately submitted to the internal governance function, the Chief AI Officer, and the Director of Alignment and Risk. The protocol will include plans to provide regular updates to the person who made the disclosure about the status of the disclosure and any steps taken to resolve the issue, and all employees who in good faith report non-compliance or decline to engage in unlawful conduct will be explicitly protected from adverse employment action and retaliation.” (p.10)

4.6 Transparency (5%) 50%

4.6.1 The company reports externally on what their risks are (33.3%) 50%

This criterion is well fulfilled, and transparency around risks is one of the strongest aspects of Meta’s framework. Meta repeatedly commits to publicly reporting risks, publishing preparedness reports, and updating reports when risk conditions change.

Quotes:

“We will publish a preparedness report for each closed or open Frontier AI release” (p.7)
“Preparedness reports will describe our risk assessment, evaluation results, implemented mitigations, and rationale for deployment decisions for each risk domain” (p.8)

4.6.2 The company reports externally on what their governance structure looks like (33.3%) 75%

Meta does quite well on this criterion — probably in the strong / above-average range relative to most frontier AI frameworks currently published. Meta explicitly includes a dedicated governance and accountability section, which earns extra credit. Most importantly, they clearly describe governance bodies, escalation processes,
and some interaction between governance functions.

Quotes:
“Meta maintains a robust internal governance structure that integrates risk management standards across the company, including through a “Lines of Defense” risk management model which sets roles and responsibilities across teams to promote effective risk management and accountability. (p.10)

“Meta’s Chief AI Officer oversees the design, implementation, and operation of the entire evaluation and mitigation process. The Chief AI Officer supervises and is supported by the Director of Alignment and Risk, who bears responsibility for executing the lifecycle of risk assessment and mitigation, preparedness reports, updates to this Advanced AI Scaling Framework, internal use reports, and related deployments and disclosures, with model deployment following appropriate consultation with relevant teams and with the approval of the Chief AI Officer. The Chief AI Officer will ensure that the Director of Alignment and Risk has resources, including human, financial, and computational resources, sufficient to perform state-of-the-art risk mitigation and assessment.” (p.10)

4.6.3 The company shares information with industry peers and government bodies (33.3%) 25%

Meta performs fairly well on this criterion, but the commitments are somewhat broad and discretionary rather than highly operationalized.
The framework repeatedly commits to engaging with external experts, governments and the broader AI community. They do not clearly commit to things like sharing model incidents across labs, coordinated vulnerability disclosure or formal regulator notification timelines.

Quotes:
“We will also regularly assess the potential for catastrophic risk from internal use of Frontier AI models and, as appropriate, provide relevant authorities with a summary of these assessments.” (p.9)

“For certain types of catastrophic risk, this will necessarily include working with government officials, who have the specific knowledge and expertise to enable proper assessment.” (p.5)

Back to top