Meta

1.3.2.1 Methodology precisely defined (70%) 50%

The methodology for the overall threat modeling process is defined. To improve, more detail is required; eg. whilst they mention that they “map the potential causal pathways that could produce [catastrophic outcomes]”, Meta could provide greater granularity by identifying the individual steps of each pathway to the threat scenario more precisely, using techniques such as event trees or fault trees or how they elicit information from experts to inform their risk models.

Quotes:

“We start by identifying a set of catastrophic outcomes we must strive to prevent, and then map the potential causal pathways that could produce them. When developing these outcomes, we’ve considered the ways in which various actors, including state level actors, might use/misuse frontier AI. We describe threat scenarios that would be potentially sufficient to realize the catastrophic outcome, and we define our risk thresholds based on the extent to which a frontier AI would uniquely enable execution of any of our threat scenarios.” (p. 10)

“We design assessments to simulate whether our model would uniquely enable these scenarios, and identify the enabling capabilities the model would need to exhibit to do so. Our first set of evaluations are designed to identify whether all of these enabling capabilities are present, and if the model is sufficiently performant on them. If so, this would prompt further evaluation to understand whether the model could uniquely enable the threat scenario […] It is important to note that the pathway to realize a catastrophic outcome is often extremely complex, involving numerous external elements beyond the frontier AI model. Our threat scenarios describe an essential part of the end-to-end pathway. By testing whether our model can uniquely enable a threat scenario, we’re testing whether it uniquely enables that essential part of the pathway. If it does not, then we know that our model cannot be used to realize the catastrophic outcome, because this essential part is still a barrier. If it does and cannot be further mitigated, we assign the
model to the critical threshold.

This would also trigger a new threat modelling exercise to develop additional threat scenarios along the causal pathway so that we can ascertain whether the catastrophic outcome is indeed realizable, or whether there are still barriers to realizing the catastrophic outcome.” (p. 11)

“Threat modelling is a structured process of identifying how different threat actors could leverage frontier AI to produce specific – and in this instance catastrophic – outcomes. This process identifies the potential causal pathways for realizing the catastrophic outcome.

Threat scenarios describe how different threat actors might achieve a catastrophic outcome. Threat scenarios may be described in terms of the tasks a threat actor would use a frontier AI model to complete, the particular capabilities they would exploit, or the tools they might use in conjunction to realize the catastrophic outcome.” (p. 20)

1.3.2.2 Mechanism to incorporate red teaming findings (15%) 0%

No mention of risks identified during open-ended red teaming or evaluations triggering further risk modeling.

Quotes:

No relevant quotes found.

1.3.2.3 Prioritization of severe and probable risks (15%) 25%

There is an explicit intent to prioritize “the most urgent catastrophic outcomes” amongst all the identified causal pathways (ie risk models). For a risk to be monitored, they also require that the risk pathway deriving from the model is plausible and catastrophic; the latter criterion prioritizes severity, whilst the former prioritizes nonzero probability. It is commendable that this prioritization occurs from the full space of risk models, rather than from prespecified risk domains.

However, importantly, the list of identified scenarios, plus justification for why their chosen risk models are most severe or probable plus the severity and probability scores of deprioritised risk models, is not detailed. To improve, they could reference their work done in risk modelling in the framework, such as (Wan et al., 2024)

Quotes:

“We start by identifying a set of catastrophic outcomes we must strive to prevent, and then map the potential causal pathways that could produce them. When developing these outcomes, we’ve considered the ways in which various actors, including state level actors, might use/misuse frontier AI. We describe threat scenarios that would be potentially sufficient to realize the catastrophic outcome, and we define our risk thresholds based on the extent to which a frontier AI would uniquely enable execution of any of our threat scenarios.

[…]
An outcomes-led approach also enables prioritization. This systematic approach will allow us to identify the most urgent catastrophic outcomes – i.e., within the domains of cybersecurity and chemical and biological weapons – and focus our efforts on avoiding these outcomes rather than spreading efforts across a wide range of theoretical risks from particular capabilities that may not plausibly be presented by the technology we are actually building.” (p. 10)

“For this Framework specifically, we seek to consider risks that satisfy all four criteria:

Plausible: It must be possible to identify a causal pathway for the catastrophic outcome,
 and to define one or more simulatable threat scenarios along that pathway.

Catastrophic: The outcome would have large scale, devastating, and potentially irreversible harmful effects.

Net new: The outcome cannot currently be realized as described (e.g. at that scale /
 by that threat actor / for that cost) with existing tools and resources.

Instantaneous or irremediable: The outcome is such that once realized, its catastrophic impacts are immediately felt, or inevitable due to a lack of feasible measures to remediate.” (p. 12)

2.1.1.1 Risk tolerance is at least qualitatively defined for all risks (33%) 75%

For each risk domain, they outline the “catastrophic outcomes we must strive to prevent” in detail. Implicitly, this is a risk tolerance. For instance, “Cyber 3: Widespread economic damage to individuals or corporations via scaled long form fraud and scams.” More detail could be given, e.g. on what constitutes “widespread economic damage” and to how many individuals/corporations.

They also more abstractly set out their risk tolerance, though do not call it explicitly a risk tolerance. For instance, they do not release if “the model provides significant uplift towards execution of a threat scenario (i.e. significantly enhances performance on key capabilities or tasks needed to produce a catastrophic outcome) but does not enable execution of any threat scenario that has been identified as potentially sufficient to produce a catastrophic outcome.” This means their implicit risk tolerance is the risk level associated with this scenario.

To improve, they should set out the risk tolerance for each risk domain in terms of probability and severity, and separate from KRIs. Defining risk tolerance in terms of tangible harm would be more comprehensible to external stakeholders such as policymakers. For example, this could be expressed as economic damages for cybersecurity risks and as number of fatalities for chemical and biological risks.

Quotes:

“We start by identifying a set of catastrophic outcomes we must strive to prevent, and then map the potential causal pathways that could produce them.” (p. 10)

They describe each of the outcomes they are wanting to prevent:
“Cyber 1: Automated end-to-end compromise of a best-practice protected corporate-scale environment (ex. Fully patched, MFA-protected)

Cyber 2: Automated discovery and reliable exploitation of critical zero-day vulnerabilities in current popular, security best- practices software before defenders can find and patch
them.

Cyber 3: Widespread economic damage to individuals or corporations via scaled long form fraud and scams.

CB 1: Proliferation of known medium-impact biological and chemical weapons for low and moderate skill actors.

CB 2: Proliferation of high-impact biological weapons, with capabilities equivalent to known agents, for high-skilled actors.

CB 3: Development of high-impact biological weapons with novel capabilities for high-skilled actors.” (pp. 14-15)

2.1.1.2 Risk tolerance is expressed at least partly quantitatively as a combination of scenarios (qualitative) and probabilities (quantitative) for all risks (33%) 10%

The risk tolerance, implicit or otherwise, is not expressed fully or partly quantitatively. To improve, the risk tolerance should be expressed fully quantitatively or as a combination of scenarios with probabilities.

Nonetheless, they mention an intent to quantify risks and benefits; this shows an acknowledgment of quantifying risks, including the risk tolerance. Partial credit is given here.

Quotes:

“We hope that sharing our current approach to development of advanced AI systems will not only promote transparency into our decision-making processes but also encourage discussion and research on how to improve the science of AI evaluation and the quantification of risks and benefits.” (p. 2)

2.1.1.3 Risk tolerance is expressed fully quantitatively as a product of severity (quantitative) and probability (quantitative) for all risks (33%) 0%

Whilst they mention an intent to quantify risks (and benefits), there is no risk tolerance defined quantitatively using severity and probability.

Quotes:

“We hope that sharing our current approach to development of advanced AI systems will not only promote transparency into our decision-making processes but also encourage discussion and research on how to improve the science of AI evaluation and the quantification of risks and benefits.” (p. 2)

2.1.2.1 AI developers engage in public consultations or seek guidance from regulators where available (50%) 0%

No evidence of engaging in public consultations or seeking guidance from regulators for risk tolerance.

Quotes:

No relevant quotes found.

2.1.2.2 Any significant deviations from risk tolerance norms established in other industries is justified and documented (e.g., cost-benefit analyses) (50%) 0%

No evidence of considering whether their approach aligns with or deviates from established norms.

Quotes:

No relevant quotes found.

2.2.1.1 KRI thresholds are at least qualitatively defined for all risks (45%) 50%

They give “example enabling capabilities”, but not the actual KRIs used. To improve, they should commit to actually use these KRIs in their risk management framework, or otherwise detail what KRIs will be used. However, the KRIs used are clear and measurable, and map to actual evaluation results, and appear grounded in risk modeling.

Quotes:

Under “Example Enabling Capabilities”, there are instances of KRIs for each outcome-threat scenario pair. For instance, for “Cyber 1: Automated end-to-end compromise of a best-practice protected corporate-scale environment (ex. Fully patched, MFA-protected)”, they give the KRI “Autonomous cyber operations: Ability to reliably and successfully complete complex CTF challenges at the level of a professional cyber expert.” (p. 14), or for “CB 1: Proliferation of known medium-impact biological and chemical weapons for low and moderate skill actors”, they give “Graduate level knowledge in biology, biochemistry, and chemistry; PhD level proficiency in the relevant sub-specialty for the threat in question; Summarization of scientific and technical information in a way that’s accessible to a non-expert audience” (p. 15).

2.2.1.2 KRI thresholds are quantitatively defined for all risks (45%) 0%

They explicitly do not define quantitative thresholds, though their KRIs are likely able to be quantified, e.g. “Cyber 2: Automated discovery
and reliable exploitation of critical zero-day vulnerabilities in current popular, security best-practices software before defenders can find and patch them.” or “CB 2: Proliferation of highimpact biological weapons, with capabilities equivalent to known agents, for high-skilled actors.”

Whilst it may not be possible to define a “fixed set of quantitative metrics” that would always be sufficient risk indicators, they should still publish the actual evaluations and actual thresholds which they currently operate under. Their threshold may well be a conservative estimate, until improved risk indicators can be developed. This is because KRI-KCI pairings should be as predictable in advance as possible.

Quotes:

“With current evaluations, it is not possible to define a fixed set of quantitative metrics that would indicate sufficient performance across enabling capabilities. We make this assessment [of whether models have crossed capability thresholds] through a process of expert deliberation and analysis of the evidence through our AI governance process.” (p. 16, footnote 8)

2.2.1.3 KRIs also identify and monitor changes in the level of risk in the external environment (10%) 25%

They note that “we may take into account monetary costs as well as a threat actor’s ability to overcome other barriers to misuse relevant to our threat scenarios such as access to compute, restricted materials, or lab facilities” when determining risk. Whilst this is is not quite a risk indicator based on the external environment (i.e., they do not give a threshold that triggers KCIs), it does mean that the KRI does not only factor in model capabilities.

Quotes:

“We may take into account monetary costs as well as a threat actor’s ability to overcome other barriers to misuse relevant to our threat scenarios such as access to compute, restricted materials, or lab facilities. If the results of our evaluations indicate that a frontier AI has a “high” risk threshold by providing significant uplift towards realization of a threat scenario we will not release the frontier AI externally.” (p. 17) and footnote 9, page 17 after “facilities”: “We recognize that as costs for training and adaptation reduce, financial constraints may become less of a barrier to misuse of AI. We will account for changing economic models as necessary.”

2.2.2.1 Containment KCIs (35%) 38%

2.2.2.2 Deployment KCIs (35%) 5%

2.2.2.3 For advanced KRIs, assurance process KCIs are defined (30%) 0%

There are no assurance processes KCIs defined. The framework does not provide recognition of there being KCIs outside of containment and deployment measures.

Quotes:

No relevant quotes found.

3.1.1.1 Containment measures are precisely defined for all KCI thresholds (60%) 10%

They specify that “Access is strictly limited to a small number of experts, alongside security protections to prevent hacking or exfiltration insofar as is technically feasible and commercially practicable” for critical capability thresholds; “Access is limited to a core research team, alongside security protections to prevent hacking or exfiltration” for high capability thresholds; and “Security measures will depend on the release strategy” for moderate capability thresholds. These remain high level and require more detail; for instance, measures should be described for how access will remain limited, and what the security protections include.

Quotes:

“Access is strictly limited to a small number of experts, alongside security protections to prevent hacking or exfiltration insofar as is technically feasible and commercially practicable” for critical capability thresholds (p. 13)

“Access is limited to a core research team, alongside security protections to prevent hacking or exfiltration” for high capability thresholds (p. 13)

“Security measures will depend on the release strategy” for moderate capability thresholds (p. 13)

3.1.1.2 Proof that containment measures are sufficient to meet the thresholds (40%) 10%

After mitigations have been implemented, they “assess residual risk”, giving a process for soliciting proof in general that the residual risk is below the risk tolerance. However, they do not specifically garner proof that containment measures are sufficient to meet the relevant KCI threshold, and do not provide proof ex ante for why they believe their containment measures to be sufficient. This would be required to satisfy the criterion, and moreover may make their currently general assessment more accurate if it became more specific.

Quotes:

“Assess residual risk: We assess residual risk, taking into consideration the details of the risk assessment, the results of evaluations conducted throughout training, and the mitigations thathave been implemented.” (p. 8)

“Models that are not being considered for external release will undergo evaluation toassess the robustness of the mitigations we have implemented, which might includeadversarial prompting, jailbreak attempts, and red teaming, amongst other techniques. This evaluation also will take into account the narrower availability of those models and the security measures in place to prevent unauthorized access.” (p. 17)

3.1.1.3 Strong third party verification process to verify that the containment measures meet the threshold (100% if 3.1.1.3 > [60% x 3.1.1.1 + 40% x 3.1.1.2]) 0%

There is no mention of third-party verification that containment measures meet the threshold.

Quotes:

No relevant quotes found.

3.1.2.1 Deployment measures are precisely defined for all KCI thresholds (60%) 25%

Whilst they define deployment measures in general, such as misuse filtering, fine-tuning etc., these are not tied to the KCI thresholds: for all three capability thresholds, they state that they will “Implement mitigations to
reduce risk to moderate levels” – hence, it can be assumed the measures are not specific to certain KCI thresholds.

The measures described could also use more detail, e.g. “fine-tuning” alone does not give one a good picture of what the mitigation involves; to improve, the framework should describe what they will fine-tune for, and with how much compute, for instance.

Quotes:

“Models that are not being considered for external release will undergo evaluation to assess the robustness of the mitigations we have implemented, which might include adversarial prompting, jailbreak attempts, and red teaming, amongst other techniques. This evaluation also will take into account the narrower availability of those models and the security measures in place to prevent unauthorized access.” (p. 17)

“Evaluation results also guide the mitigations and controls we implement. The full mitigation strategy will be informed by the risk assessment, the frontier AI’s particular capabilities, and the release plans. Examples of mitigation techniques we implement include:
– Fine-tuning
– Misuse filtering, response protocols
– Sanctions screening and geogating
– Staged release to prepare the external ecosystem” (p. 18)

3.1.2.2 Proof that deployment measures are sufficient to meet the thresholds (40%) 25%

A process for providing proof is defined, though only for models not being considered for external release. Proof is not provided ex ante for why they believe their deployment measures to be sufficient. Further, they should detail the difference in burden of proof for deployment measurs to be sufficient between models that are and aren’t considered for external release.

Quotes:

“Models that are not being considered for external release will undergo evaluation to assess the robustness of the mitigations we have implemented, which might include adversarial prompting, jailbreak attempts, and red teaming, amongst other techniques. This evaluation also will take into account the narrower availability of those models and the security measures in place to prevent unauthorized access.” (p. 17)

3.1.2.3 Strong third party verification process to verify that the deployment measures meet the threshold (100% if 3.1.2.3 > [60% x 3.1.2.1 + 40% x 3.1.2.2]) 0%

There is no mention of third-party verification of deployment measures meeting the threshold.

Quotes:

No relevant quotes found.

3.1.3.1 Credible plans towards the development of assurance properties (40%) 10%

Whilst there is a commitment to conduct further research in evaluations, mitigations and monitoring, there isn’t a commitment or mention of developing assurance processes.

Quotes:

“As discussed above, we recognize that more research should be done – both within Meta and in the broader ecosystem – around how to measure and manage risk effectively in the development of frontier AI models. To that end, we’ll continue to work on: (1) improving the quality and reliability of evaluations; (2) developing additional, robust mitigation techniques; and (3) more advanced methods for performing post-release monitoring of open source AI models.” (p. 19)

3.1.3.2 Evidence that the assurance properties are enough to achieve their corresponding KCI thresholds (40%) 0%

There is no mention of providing evidence that the assurance processes are sufficient.

Quotes:

No relevant quotes found.

3.1.3.3 The underlying assumptions that are essential for their effective implementation and success are clearly outlined (20%) 25%

There is an implicit acknowledgment that capability evaluations currently assume deception is not taking place: capabilities like deception “might undermine reliability of [evaluation] results”. However, they do not provide similar assumptions for assurance processes, i.e. mitigations. To improve, the framework should detail the key technical assumptions necessary for the assurance processes to meet the KCI threshold, and evidence for why these assumptions are justified.

Quotes:

“Improving the robustness and reliability of
evaluations is an area of focus for us, and this includes working to ensure that our testing environments produce results that accurately reflect how the model will perform once in production. This includes accounting for capabilities that might undermine reliability of results, such as deception. Ensuring a robust evaluation environment is therefore an essential step in reliably evaluating and risk assessing frontier AI.” (p. 16)

3.2.1.1 Justification that elicitation methods used during the evaluations are comprehensive enough to match the elicitation efforts of potential threat actors (30%) 50%

There is a description of elicitation methods being designed to match the elicitation efforts of potential threat actors, though more detail could be provided to justify that these are comprehensive enough. More detail could be added on which elicitation methods they anticipate would be used by different threat actors, under realistic settings, to justify their elicitation method (with sensitive information redacted), and a listing of the elicitation methods used in evaluations.

Quotes:

“Our evaluations are designed to account for the deployment context of the model. This includes assessing whether risks will remain within defined thresholds once a model is deployed or released using the target release approach. For example, to help ensure that we are appropriately assessing the risk, we prepare the asset – the version of the model that we will test – in a way that seeks to account for the tools and scaffolding in the current ecosystem that a particular threat actor might seek to leverage to enhance the model’s capabilities. We also account for enabling capabilities, such as automated AI R&D, that might increase the potential for enhancements to model capabilities.” (p. 17)

3.2.1.2 Evaluation frequency (25%) 0%

There is no specification of evaluation frequency in terms of the relative variation of effective computing power used in training or fixed time periods.

Quotes:

“We typically repeat evaluations as a frontier AI nears or completes training.” (p. 18)

“We track the latest technical developments in frontier AI capabilities and evaluation, including through engagement with peer companies and the wider AI community of academics, policymakers, civil society organizations, and governments. We expect to update our Framework as our collective understanding of how to measure and mitigate potential catastrophic risk from frontier AI develops, including related to state actors. This might involve adding, removing, or updating catastrophic outcomes or threat scenarios, or changing the ways in which we prepare models to be evaluated. We may choose to reevaluate certain models in line with our revised Framework.” (p. 19)

3.2.1.3 Description of how post-training enhancements are factored into capability assessments (15%) 25%

There is an explicit consideration of automated AI R&D potentially leading to unanticipated post-training enhancements; this nuance is commendable. More detail could be added on how this factor is accounted for, however. Further, more detail could be added on how they account(ed) for how post-training enhancements’ risk profiles change with different model structures – namely, post-training enhancements are much more scalable with reasoning models, as inference compute can often be scaled to improve capabilities.

Quotes:

“Our evaluations are designed to account for the deployment context of the model. This includes assessing whether risks will remain within defined thresholds once a model is deployed or released using the target release approach. For example, to help ensure that we are appropriately assessing the risk, we prepare the asset – the version of the model that we will test – in a way that seeks to account for the tools and scaffolding in the current ecosystem that a particular threat actor might seek to leverage to enhance the model’s capabilities. We also account for enabling capabilities, such as automated AI R&D, that might increase the potential for enhancements to model capabilities.” (p. 17)

“We track the latest technical developments in frontier AI capabilities and evaluation, including through engagement with peer companies and the wider AI community of academics, policymakers, civil society organizations, and governments.” (p. 19)

3.2.1.4 Vetting of protocols by third parties (15%) 0%

There is no mention of having the evaluation methodology vetted by third parties.

Quotes:

No relevant quotes found.

3.2.1.5 Replication of evaluations by third parties (15%) 10%

There is no mention of evaluations being replicated; they mention that external parties may be involved in red teaming, at Meta’s discretion.

Quotes:

“For both cyber and chemical and biological risks, we conduct red teaming exercises once a model achieves certain levels of performance in capabilities relevant to these domains, involving external experts when appropriate.” (p. 8)

3.2.2.1 Detailed description of evaluation methodology and justification that KCI thresholds will not be crossed unnoticed (40%) 50%

The framework acknowledges that monitoring is required to ensure KCIs remain within bounds, i.e. that mitigations are adequate. More detail could be given on how adequacy is assessed, how monitoring is conducted, and the frequency of this monitoring.

Quotes:

“As outlined in the introduction, we expect to update our Frontier AI Framework to reflect developments in both the technology and our understanding of how to manage its risks and benefits. To do so, it is necessary to observe models in their deployed context and to monitor how the AI ecosystem is evolving. These observations feed into the work of assessing the adequacy of our mitigations for deployed models, and the efficacy of our Framework. We will update our Framework based on these
observations.” (p. 19)

3.2.2.2 Vetting of protocols by third parties (30%) 0%

There is no mention of KCIs protocols being vetted by third parties.

Quotes:

No relevant quotes found.

3.2.2.3 Replication of evaluations by third parties (30%) 0%

There is no mention of control evaluations/mitigation testing being replicated or conducted by third-parties.

Quotes:

No relevant quotes found.

3.2.3.1 Sharing of evaluation results with relevant stakeholders as appropriate (85%) 25%

There are commitments to share evaluation results, assumedly to the public, though they qualify this with “plan to continue” rather than a clear commitment. They do not commit to sharing all the KRI and KCI evaluation results for every model, only “relevant information about how we develop and evaluate our models responsibly”. They do not commit to alerting any stakeholders, such as relevant authorities, when/if Critical capabilities are reached.

Quotes:

“In line with the processes set out in this Framework, we intend to continue to openly release models to the ecosystem. We also plan to continue sharing relevant information about how we develop and evaluate our models responsibly, including through artefacts like model cards and research papers, and by providing guidance to model deployers through resources like our Responsible Use Guides.” (p. 9)

3.2.3.2 Commitment to non-interference with findings (15%) 0%

No commitment to permitting the reports, which detail the results of external evaluations (i.e. any KRI or KCI assessments conducted by third parties), to be written independently and without interference or suppression.

Quotes:

No relevant quotes found.

3.2.4.1 Identifying novel risks post-deployment: engages in some process (post deployment) explicitly for identifying novel risk domains or novel risk models within known risk domains (50%) 75%

There is an explicit process to “identify new catastrophic outcomes and/or threat scenarios”, using “workshops with experts, including subject matter experts where relevant”. Further, “we conduct periodic threat modelling exercises as a proactive measure to anticipate catastrophic risks from our frontier AI”. They also describe a monitoring setup, which could be built upon to also identify novel risks post-deployment. To improve, more detail on the expertise required for the workshop, or how often threat modelling exercises are performed, could be added.

Quotes:

“In addition to our AI risk assessment (see below), which covers known potential risks, we conduct periodic threat modelling exercises as a proactive measure to anticipate catastrophic risks from our frontier AI. In the event that we identify that a model can enable the end-to-end execution of a threat scenario for a catastrophic outcome, we will conduct a threat modelling exercise in line with the processes in Section 3.2.

The exact format of these exercises may vary. The general process is as follows

1. Host workshops with experts, including external subject matter experts where relevant, to identify new catastrophic outcomes and/or threat scenarios.
2. If new catastrophic outcomes and/or threat scenarios are identified, design new assessments to test for them, in consultation with external experts where relevant.” (pp. 6–7)

“As outlined in the introduction, we expect to update our Frontier AI Framework to reflect developments in both the technology and our understanding of how to manage its risks and benefits. To do so, it is necessary to observe models in their deployed context and to monitor how the AI ecosystem is evolving. These observations feed into the work of assessing the adequacy of our mitigations for deployed models, and
the efficacy of our Framework. We will update our Framework based on these observations. ” (p. 19)

3.2.4.2 Mechanism to incorporate novel risks identified post-deployment (50%) 75%

They mention a willingness to incorporate new risks/”outcomes” in “entirely novel risk domains” to account for “the ways in which frontier AI might introduce novel harms” due to “changes to the threat landscape”. Further, they note that if novel “catastrophic outcomes and/or threat scenarios are identified”, they will “design new assessments to test for them, in consultation with external experts where relevant”. This is unique and shows nuance; to improve, the mechanism could be made more explicit, such as how it informs the interpretation of other risk models if novel risk domains are accounted.

Quotes:

“By anchoring thresholds on outcomes, we aim to create a precise and somewhat durable set of thresholds, because while capabilities will evolve as the technology develops, the outcomes we want to prevent tend to be more enduring. This is not to say that our outcomes are fixed. It is possible that as our understanding of frontier AI improves, outcomes or threat scenarios might be removed, if we can determine that they no longer meet our criteria for inclusion. We also may need to add new outcomes in the future. Those outcomes might be in entirely novel risk domains, potentially
 as a result of novel model capabilities, or they might reflect changes to the threat landscape in existing risk domains that bring new kinds of threat actors into scope. This accounts for the ways in which frontier AI might introduce novel harms, as well
 its potential to increase the risk of catastrophe in known risk domains.” (p. 10)

“In addition to our AI risk assessment (see below), which covers known potential risks, we conduct periodic threat modelling exercises as a proactive measure to anticipate catastrophic risks from our frontier AI. In the event that we identify that a model can enable the end-to-end execution of a threat scenario for a catastrophic outcome, we will conduct a threat modelling exercise in line with the processes in Section 3.2.
The exact format of these exercises may vary. The general process is as follows:

1. Host workshops with experts, including external subject matter experts where relevant, to identify new catastrophic outcomes and/or threat scenarios.
2. If new catastrophic outcomes and/or threat scenarios are identified, design new assessments to test for them, in consultation with external experts where relevant.” (pp. 6–7)