datarekha

Frontier safety frameworks

How do labs decide a model is too dangerous to deploy — or even to keep training? Frontier safety frameworks turn that judgment into an if-then commitment: define capability thresholds, evaluate models for them with dangerous-capability evals, and escalate required safeguards when a threshold is crossed. RSP, Preparedness, and FSF are the same idea with different names.

7 min read Advanced Generative AI Lesson 41 of 63

What you'll learn

  • The if-then structure — capability thresholds trigger safeguards
  • RSP, Preparedness Framework, and FSF — the same pattern across labs
  • Dangerous-capability evaluations — METR, WMDP, third-party evals
  • Why the frameworks are proactive, and their real limitations

Before you start

How does a frontier lab decide a model is too dangerous to deploy — or too dangerous to keep training? Not by vibes. The answer is a frontier safety framework: a written, if-then commitment that ties capability thresholds to required safeguards. Define what would be dangerous, measure whether the model has it, and gate progress on having the matching protections in place.

The if-then structure

Every framework shares one pattern: define capability thresholds → evaluate for them → if a threshold is crossed, escalate the required safeguards before proceeding.

thresholds = [   # (level, dangerous capability, required safeguard)
    ("ASL-2", "current LLMs",                 "standard security"),
    ("ASL-3", "uplift to bio/cyber attacks",  "hardened security + deployment filters"),
    ("ASL-4", "autonomous AI R&D / evasion",  "much stronger, partly-undefined measures"),
]
model_eval = "uplift to bio/cyber attacks"    # what a dangerous-capability eval found

for level, cap, safeguard in thresholds:
    here = "  <- eval places the model HERE" if cap == model_eval else ""
    print(f"{level}: {cap}{here}")
    if cap == model_eval:
        print(f"      => REQUIRE before deploy: {safeguard}")
ASL-2: current LLMs
ASL-3: uplift to bio/cyber attacks  <- eval places the model HERE
      => REQUIRE before deploy: hardened security + deployment filters
ASL-4: autonomous AI R&D / evasion

An evaluation places the model at a capability level; crossing into ASL-3 commits the lab in advance to specific safeguards (here, hardened security and deployment filters) before that model may ship. The named frameworks are this same machine:

  • Anthropic — Responsible Scaling Policy (RSP): AI Safety Levels (ASL-1…4), each with capability triggers and required safeguards.
  • OpenAI — Preparedness Framework: tracked risk categories (bio, cyber, autonomy, persuasion) with risk levels and gating.
  • Google DeepMind — Frontier Safety Framework (FSF): “critical capability levels” with mitigations.
If capability crosses a threshold, safeguards escalateASL-2 · current LLMsstandard securityASL-3 · bio/cyber uplifthardened security + filtersASL-4 · autonomous R&D / evasionmuch stronger measuresdangerous-capevalplacesevals measure capability · crossing a threshold gates deployment on the matching safeguards
Capability levels with escalating safeguards; a dangerous-capability evaluation decides which level applies and what’s required before deployment.

Dangerous-capability evaluations

The frameworks are only as good as the evaluations that place a model on the ladder. These are purpose-built tests for the specific dangerous capabilities a threshold names:

  • METR runs autonomy evals — can the model complete long agentic tasks, self-replicate, or meaningfully accelerate AI R&D?
  • WMDP is a benchmark of hazardous knowledge (bio, cyber, chem) used both to measure uplift and to test unlearning of it.
  • Third-party evaluators (METR, Apollo, and government AI Safety Institutes) assess models externally, so the lab isn’t the only judge.

In one breath

  • A frontier safety framework is an if-then commitment: define capability thresholds, evaluate models for them, and escalate required safeguards when a threshold is crossed (the demo: crossing ASL-3 gates deployment on hardened security).
  • The named ones are the same pattern: Anthropic’s RSP (ASL levels), OpenAI’s Preparedness Framework (risk categories), DeepMind’s FSF (critical capability levels).
  • They depend on dangerous-capability evaluations: METR (autonomy/self-replication/AI-R&D), WMDP (hazardous bio/cyber/chem knowledge), and third-party evaluators (Apollo, AI Safety Institutes).
  • Their strength is being proactive (commit to safeguards before the capability arrives) and maturing dangerous-capability eval into a discipline.
  • Limits: mostly voluntary, labs self-grade, thresholds are fuzzy, and eval science is young (absence of a capability is hard to prove) — the case for independent oversight.

Quick check

Quick check

0/4
Q1What is the common 'if-then' structure of frontier safety frameworks?
Q2How do Anthropic's RSP, OpenAI's Preparedness Framework, and DeepMind's FSF relate?
Q3What role do dangerous-capability evaluations (METR, WMDP) play?
Q4What is a key limitation of current frontier safety frameworks?

Next

Frameworks gate on dangerous-capability evals; when a model is uncertain-but-useful, AI control provides runtime safeguards, and at the agent level these become agent safety controls. Supervising the models these frameworks govern is scalable oversight.

Sign in to track your progress

Completed lessons, your XP, level, and streak save to your account — it's free and takes a few seconds.

Related lessons

Explore further

Skip to content