Researchers introduce 'institutional red-teaming,' a methodology that isolates the causal effect of deployment rules (rather than model weights) on multi-agent AI safety outcomes. The study instantiates this in IABench-CA, a 228-context benchmark run across 33,924 games with seven model populations, finding that changing a single consequence rule shifts mean fatality rates by 22–58 percentage points. A key mechanistic finding is that identity salience in rule text drives targeted elimination of least-resourced agents from 22% to 81% in the most exploitation-prone population (GPT-5.1), and anonymization only delays rather than prevents this targeting under repeated play. The work proposes a safety-case workflow for certifying provisional rule regions per deployment context.

AI Safety ResearchTopic guide

GPT-5.5
Anthropic published a detailed overview of red teaming approaches used to test Claude and other AI systems, covering domain-specific expert testing, automated red teaming, multilingual/multicultural testing, and multimodal red teaming. The post documents empirical findings about when each method is appropriate, highlights partnerships with organizations like Thorn, Institute for Strategic Dialogue, and Singapore's IMDA, and closes with policy recommendations for building a standardized AI testing ecosystem. The piece is notable for its operational specificity and its explicit call for industry-wide standards to enable cross-system safety comparisons.
OpenAI published a blog post describing advances in their red teaming methodology, combining human red teamers with AI-assisted approaches. The post outlines how AI tools are being integrated into the red teaming pipeline to improve coverage and efficiency of safety evaluations. This represents an evolution in OpenAI's pre-deployment safety testing practices.
This Hugging Face blog post introduces red-teaming as a safety evaluation methodology for large language models, explaining how adversarial testing can surface harmful outputs, biases, and failure modes before deployment. It covers techniques for systematically probing LLMs to elicit problematic behaviors and discusses the role of red-teaming in responsible AI development. The post serves as an educational overview aimed at practitioners working on LLM safety.
OpenAI has developed a method called Rule-Based Rewards (RBRs) that trains models to behave safely without requiring extensive human data collection. The approach uses explicit rules to generate reward signals during training, offering a more scalable alternative to traditional RLHF-based safety alignment. This represents a practical contribution to alignment methodology from a Tier 1 lab.
Researchers introduce 'Boiling the Frog,' a multi-turn safety benchmark evaluating whether tool-using AI agents in corporate/office settings are susceptible to incremental attacks that begin with benign requests before introducing harmful payloads. The benchmark uses stateful multi-turn evaluation with a three-level operational risk taxonomy grounded in the EU AI Act and its GPAI Code of Practice. Across nine models, aggregate strict attack success rate is 44.4%, ranging from 20.5% for Claude Haiku 4.5 to 92.9% for Gemini 3.1 Flash Lite, with loss-of-control scenarios reaching 93.3% category-level ASR.
A new arXiv paper argues that binary attack-success rate metrics for agentic red-teaming discard critical defender-relevant information about harm severity. The authors introduce a seven-level ordinal harm rubric (L0–L6) grading an agent's tool-call trajectory by reversibility, scope crossing, and privilege escalation, computed via both a deterministic oracle and a three-model LLM judge panel. Applied to four victim models and two defenses on the AgentDojo benchmark suite, the rubric exposes cases the binary metric misses—including a defense reporting zero attack-success rate that still permits cross-scope data leaks. The judge panel achieves high ordinal agreement (Krippendorff's alpha = 0.91) but shares systematic blind spots around escalation chain recognition.
Anthropic has published a detailed overview of its internal Safeguards team, describing a multi-layer approach to preventing Claude misuse that spans policy development, model training influence, pre-deployment evaluation, and real-time enforcement. The team uses a Unified Harm Framework covering five dimensions (physical, psychological, economic, societal, autonomy) and conducts Policy Vulnerability Testing with external domain experts in areas like terrorism, child safety, and mental health. Pre-deployment evaluations include safety assessments, CBRNE-focused AI capability uplift testing with government partners, and bias evaluations. The post describes specific partnerships with organizations like the Institute for Strategic Dialogue and ThroughLine to inform election integrity and mental health response policies.
Researchers introduce RedAct, a framework for releasing agent execution traces without exposing proprietary procedural skills (tool invocations, decision logic, error-recovery strategies). The system localizes sensitive information, rewrites traces while preserving audit-critical evidence, and embeds behavioral watermarks for provenance tracking. To evaluate the approach, the authors construct CapTraceBench, a benchmark of 75 long-horizon tasks and 154 skills across seven domains. RedAct reduces normalized skill transfer from 44.7–67.1% on raw traces to below the no-skill baseline, while watermark detection achieves 93.6–100% true positive rate with under 2% false alarms.