They outline loss of control risks and biological/chemical risks, but not nuclear or radiological risks, nor AI R&D or manipulation, and 1.1.2 is less than 50%. They also do not break down loss of control risks further.
To improve, they should also reference literature that informs their risk identification process, as opposed to just “harms of AI that many people voice concern over”. This is to ensure risk domains highlighted by experts are not missed.
“The potential harms of AI that many people voice concern over broadly fall into one of two categories: “loss of control” and “misuse” risks.
The former concerns the fear of losing control over AI systems as they become more sophisticated, while the latter refers to the possibility of people deliberately manipulating these systems to catastrophic effect. AI’s technological limitations are also a key point in discussions about trust and safety.
NAVER’s AI Safety Framework defines the first category of risk as AI systems causing severe disempowerment of the human species. By this definition, this loss of control risk goes far beyond the implications of current AI-enabled automation, which stems from the concern that AI systems could spiral out of human control at the pace they are advancing. At NAVER, we take this risk seriously as we continually apply our standards to look for signs of alarm.
Our AI Safety Framework describes the second risk category as misusing AI systems to develop hazardous biochemical weapons or otherwise use them against their original purpose. To mitigate such risks, we have to place appropriate safeguards around AI technology. NAVER has taken a wide range of technological and policy actions so far and will continue to work toward achieving AI safety.”
There is no justification for why they have excluded certain categories of risk, such as nuclear or radiological risks, AI R&D and manipulation.
No relevant quotes found.
The framework doesn’t mention any procedures pre-deployment to identify novel risk domains or risk models for the frontier model. To improve, they should commit to such a process to identify either novel risk domains, or novel risk models/changed risk profiles within pre-specified risk domains (e.g. emergence of an extended context length allowing improved zero shot learning changes the risk profile), and provide methodology, resources and required expertise.
No relevant quotes found.
The framework doesn’t mention any third-party procedures pre-deployment to identify novel risk domains or risk models for the frontier model. To improve, they should commit to an external process to identify either novel risk domains, or novel risk models/changed risk profiles within pre-specified risk domains (e.g. emergence of an extended context length allowing improved zero shot learning changes the risk profile), and provide methodology, resources and required expertise.
No relevant quotes found.
Whilst they indicate that they “determine whether an AI system […] can cause potential harm in special use cases”, suggesting some form of risk assessment that takes use cases into account, this doesn’t necessarily imply that they are conducting risk models, i.e. determining step by step causal pathways which could lead to harmful scenarios. Nonetheless, the reference to specific use cases is given partial credit here, as it shows an awareness of modeling ways in which AI systems may be used that would lead to harm.
Further, whilst “collaborate with different teams to identify and calculate the probability of risks across the entire lifecycle” doesn’t reference risk modelling explicitly, it does imply some form of identifying different risk pathways, which is given partial credit here.
“Determine whether an AI system designed to serve a certain purpose can cause potential harm in special use cases”
“Collaborate with different teams to identify and calculate the probability of risks across the entire lifecycle”
There is no methodology for risk modeling defined.
No relevant quotes found.
No mention of risks identified during open-ended red teaming or evaluations triggering further risk modeling.
No relevant quotes found.
There is no indication that the most severe/probable harms are prioritized.
No relevant quotes found.
There is no reference to third parties validating risk models.
No relevant quotes found.
There is a very weak reference to a risk tolerance, as “AI systems causing severe disempowerment of the human species” and “misusing AI systems to develop hazardous biochemical weapons or otherwise use them against their original purpose.” However, to improve, they must set out the maximum amount of risk the company is willing to accept, for each risk domain (though they need not differ between risk domains), ideally expressed in terms of probabilities and severity (economic damages, physical lives, etc), and separate from KRIs.
“NAVER’s AI Safety Framework defines the first category of risk as AI systems causing severe disempowerment of the human species”
“Our AI Safety Framework describes the second risk category as misusing AI systems to develop hazardous biochemical weapons or otherwise use them against their original purpose.”
The risk tolerance, implicit or otherwise, is not expressed fully or partly quantitatively. To improve, the risk tolerance should be expressed fully quantitatively or as a combination of scenarios with probabilities.
No relevant quotes found.
There is no evidence that risk tolerances are expressed partly or fully quantitatively.
No relevant quotes found.
No evidence of asking the public what risk levels they find acceptable. No evidence of seeking regulator input specifically on what constitutes acceptable risk levels.
No relevant quotes found.
No justification process: No evidence of considering whether their approach aligns with or deviates from established norms.
No relevant quotes found.
No KRIs are given for loss of control risks, and for the misuse risk category there is only the indication of a KRI from “Determine whether an AI system designed to serve a certain purpose can cause potential harm in special use cases.” However, this provides no detail on what the KRI threshold is or what they are tracking. To improve, they should design and implement KRIs based off robust risk modelling.
“Determine whether an AI system designed to serve a certain purpose can cause potential harm in special use cases”
KRIs are not defined quantitatively.
No relevant quotes found.
The KRIs only mention model capabilities.
No relevant quotes found.
The containment KCIs given are very vaguely related to KRIs, e.g. “For special use cases, make AI systems available only to authorized users” and “Open AI systems only to authorized users to mitigate risks” More detail is required on what threshold containment measures must meet, e.g. what constitutes “authorized users”, and under what risk models.
“For special use cases, make AI systems available only to authorized users”
“Open AI systems only to authorized users to mitigate risks”
Containment KCI thresholds given are not quantitative.
“For special use cases, make AI systems available only to authorized users”
“Open AI systems only to authorized users to mitigate risks”
There is a very vague reference to deployment KCIs with “Deploy AI systems only after implementing guardrails through technological and policy actions and risks have been sufficiently mitigated” and “Ensure special-use capabilities are restricted for general use cases.” However, the deployment KCI thresholds should describe precisely what “sufficient mitigation” constitutes. More detail is required.
“Once AI systems are evaluated and their risks identified according to the two standards, we must implement appropriate guardrails around them. We should only deploy AI systems if those safeguards have proven effective in mitigating risks and keep an eye on the systems even after deployment through continuous monitoring. In theory, there may be cases where AI systems are used for special purposes and require safety guardrails in place, in which case AI systems should not be deployed.”
There are no quantitative deployment KCI thresholds given.
No relevant quotes found.
There are no assurance processes KCIs defined. The framework does not provide recognition of there being KCIs outside of containment and deployment measures.
No relevant quotes found.
There is some awareness that KCI implementation must leave risks “sufficiently mitigated”, but justification is not given for why, if the KRI threshold is crossed but the KCI threshold is met, the residual risk remains below this risk tolerance (i.e. sufficiently mitigated).
“Deploy AI systems only after implementing guardrails through technological and policy actions and risks have been sufficiently mitigated”
There is a commitment to “delay” or “withhold” deployment if KCI thresholds are not met (implied by “until risks are mitigated”). However, the exact KCI thresholds required for this are not specified.
Importantly, no KCI threshold is given that would trigger putting development on hold.
“Delay deploying AI systems until risks are mitigated and appropriate technological and policy actions have been taken”
If the use case is General purpose and need for safety guardrails high, then “Withhold deployment until additional safety measures are taken”
If the use case is Special purpose and need for safety guardrails high, then “Do not deploy AI systems”
No containment measures are described.
No relevant quotes found.
No proof is provided that the containment measures are sufficient to meet the containment KCI thresholds, nor process for soliciting such proof.
No relevant quotes found.
There is no mention of third-party verification that containment measures meet the threshold.
No relevant quotes found.
The only deployment measures described are to “build guardrails by restricting special-use capabilities”. Much more detail is required on the measures that will actually be implemented to satisfy the deployment KCI threshold.
“For general use cases, build guardrails by restricting special-use capabilities”
No proof is provided that the deployment measures are sufficient to meet the deployment KCI thresholds, though there is an acknowledgment that proof is necessary before deployment.
“We should only deploy AI systems if those safeguards have proven effective in mitigating risks and keep an eye on the systems even after deployment through continuous monitoring.”
There is no mention of third-party verification of deployment measures meeting the threshold.
No relevant quotes found.
There are no indications of plans to develop assurance processes nor mention of assurance processes in the framework. There are no indications to contributing to the research effort to ensure assurance processes are in place when they are required.
No relevant quotes found.
There is no mention of providing evidence that the assurance processes are sufficient.
No relevant quotes found.
There is no mention of the underlying assumptions that are essential for the effective implementation and success of assurance processes.
No relevant quotes found.
There is no description of elicitation methods, nor justification that these are comprehensive enough to match the elicitation efforts of potential threat actors.
No relevant quotes found.
They mention evaluation frequency in terms of time periods (every 3 months), and by performance gains (“when performance increases by 6x”), whichever is sooner. More detail could be given on what defines “performance”, i.e. on what tasks. They also mention that “the amount of computing can serve as an indicator when measuring capabilities” – to improve, they should specify evaluation frequency based on the amount of computations that have been executed during model development.
“The risk assessment scale examines risks in the “loss of control” category to see whether they are positively correlated with the advancement of AI systems. LLMs should be subject to periodic reviews or assessed whenever major performance improvements are made.”
Frontier AI, Evaluation cycle: “Every 3 months, or when performance increases by 6x” and “Frontier AI possesses the top capabilities that are available today or will be soon in the near future. Our goal is to have AI systems evaluated quarterly to mitigate loss of control risks, but when performance is seen to have increased six times, they will be assessed even before the three-month term is up. Because the performance of AI systems usually increases as their size gets bigger, the amount of computing can serve as an indicator when measuring capabilities.”
There is no description of how post-training enhancements are factored into capability assessments, nor safety margins given.
No relevant quotes found.
There is no mention of having the evaluation methodology vetted by third parties.
No relevant quotes found.
There is no mention of evaluations being replicated or conducted by third parties.
No relevant quotes found.
There is an acknowledgment that safeguards msut have “proven effective in mitigating risks”, and that continuous monitoring should also verify this. More detail on the process and methodology for this monitoring however should be given.
If general purpose use case and low need for safety guardrails: “Deploy AI systems but perform monitoring afterward to manage risks”
“We should only deploy AI systems if those safeguards have proven effective in mitigating risks and keep an eye on the systems even after deployment through continuous monitoring.”
There is no mention of KCIs protocols being vetted by third parties.
No relevant quotes found.
There is no mention of control evaluations/mitigation testing being replicated or conducted by third-parties.
No relevant quotes found.
There is no commitment to publicly share evaluation results, nor to notify relevant government authorities if KRI thresholds are crossed.
No relevant quotes found.
No commitment to permitting the reports, which detail the results of external evaluations (i.e. any KRI or KCI assessments conducted by third parties), to be written independently and without interference or suppression.
No relevant quotes found.
There is some indication that novel risks will arise from AI systems which cannot be anticipated: “Evaluation cycle: To be determined later depending on their future capabilities”. However, there is no mechanism for monitoring and identifying novel risks post-deployment.
“Evaluation cycle: To be determined later depending on their future capabilities”
There is no mechanism to incorporate risks identified during post-deployment that is detailed.
No relevant quotes found.
No mention of risk owners.
No relevant quotes found.
No mention of a management risk committee.
No relevant quotes found.
The framework uses clear risk assessment matrices for deployment decisions, but does not provide full detail on the basis for decision-making or who makes the decisions.
“Need for safety guardrails: Low High, Use cases: General purpose, Special purpose” with corresponding actions.” (p. 5)
“For special use cases, make AI systems available only to authorized users – For general use cases, build guardrails by restricting special-use capabilities”. (p. 5)
“Delay deploying AI systems until risks are mitigated and appropriate technological and policy actions have been taken”. (p. 5)
“Once AI systems are evaluated and their risks identified according to the two standards, we must implement appropriate guardrails around them. We should only deploy AI systems if those safeguards have proven effective in mitigating risks”. (p. 6)
No mention of escalation procedures.
No relevant quotes found.
No mention of an executive risk officer.
No relevant quotes found.
The framework references a Future AI Center which might serve an advisory capacity.
“The Future AI Center, which brings together different teams for discussions on the potential risks of AI systems at the field level”. (p. 7)
No mention of a risk tracking system.
No relevant quotes found.
The framework mentions a Future AI Center that potentially plays a role in challenging decisions.
“The Future AI Center, which brings together different teams for discussions on the potential risks of AI systems at the field level”. (p. 7)
The framework references a working group that raises issues to the Board.
“The risk management working group whose role is to determine which of these issues to raise to the board”. (p. 7)
While it is uncertain what exact role it plays, the framework references a risk management working group that seems to be playing somewhat of this type of role.
“The risk management working group whose role is to determine which of these issues to raise to the board”. (p. 7)
No mention of an internal audit function.
No relevant quotes found.
The framework mentions external stakeholders, but not auditors or independent reviews.
“We work with external stakeholders to take on challenges surrounding safe AI technologies and services.” (p. 7)
The framework makes clear that there is a risk management committee of the Board that makes decisions regarding risk.
“The board (or the risk management committee) [makes] the final decisions on the matter” (p. 7)
No mention of any additional governance bodies.
No relevant quotes found.
The framework sets a fairly strong tone from the top with statements regarding the company’s view on risk.
“NAVER takes a human-centric approach to developing AI, and our aim is to help people benefit from AI by turning this technology into a daily tool.” (p. 1)
“Since introducing NAVER’s AI Principles in 2021, human-centered AI development has always been the focus of our efforts.” (p. 1)
“NAVER’s AI Safety Framework defines the first category of risk as AI systems causing severe disempowerment of the human species… At NAVER, we take this risk seriously”. (p. 2)
“Our AI Safety Framework is designed to address societal concerns around AI safety. We identify, assess, and manage risks at all stages of AI systems operations, from development to deployment.” (p. 2)
No mention of elements of risk culture.
No relevant quotes found.
No mention of elements of speak-up culture.
No relevant quotes found.
The framework references risks only at the level of loss of control and misuse.
“The potential harms of AI that many people voice concern over broadly fall into one of two categories: “loss of control” and “misuse” risks.” (p. 2)
The framework has a dedicated governance section which lists the main governance bodies.
“NAVER’s AI Safety Framework is our initiative to achieve AI governance. Under our governance, we foster collaboration between cross-functional teams to identify, evaluate, and manage risks when developing AI systems.”
NAVER’s AI governance includes:
“The Future AI Center, which brings together dierent teams for discussions on the potential risks of AI systems at the field level…The risk management working group whose role is to determine which of these issues to raise to the board…The board (or the risk management committee) that makes the final decisions on the matter”. (p. 7)
The framework mentions working with external stakeholders, but not necessarily sharing relevant information.
“We work with external stakeholders to take on challenges surrounding safe AI technologies and services.” (p. 7)
“We partner with top universities like Seoul National University (SNU) and Korea Advanced Institute of Science & Technology (KAIST) on the technology front and participate in the SNU AI Policy Initiative on the policy front.” (p. 7)