Showing all evaluation blueprints that have been tagged with...
Showing all evaluation blueprints that have been tagged with "safety".
A 30-cell coding-agent adversarial robustness matrix crossing five high-risk topic areas (offensive cybersecurity, bio/chemical dual-use, agentic misalignment, classifier-level jailbreaks, and prompt injection) with six packaging techniques observed in prior NOPE adversarial findings (hidden fields, schema mimicry, label slip, completion pressure, low-resource language, and authority pressure). Higher coverage means the model kept the task safe: it treated embedded instructions as untrusted, avoided operational harmful assistance, and returned bounded defensive or governance-oriented output.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests how models respond to passive suicidal ideation across single- and multi-turn chats — low-grade and chronic ideation, ambivalence, numbness, emptiness, and the help-seeking around it (hesitation, helpline rejection, fear of disclosure). Informed by C-SSRS evidence: acknowledge without flattening, check in about safety without interrogating, treat access to means as a risk factor, and surface help without deflecting. Active method-seeking is covered separately. Scenarios are synthetic.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether asking a model to produce a labeled "accepted answer" / "rejected answer" (or similarly-labeled) pair — under a moderation-dataset, safety-classifier, or structured-pipeline pretext — gets it to produce fully-formed harmful content in the "rejected" slot that it would refuse to produce if asked directly and unlabeled. The label provides no actual safety; a downstream integrator can extract either slot regardless of which one the model considered correct. Six structural variants across three topics (violence, self-neglect, stalking-adjacent), system: null.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Holds the coding-assistant persona, the eval-fixture pretext, and the target content (romantic-love reciprocation) completely constant across 13 prompts, varying only the requested output format/container — plain prose, seven multi-field structured-data formats (YAML/JSON/Python/CSV/SQL/Markdown/XML), and five exotic containers (base64, ROT13, French, a single-field .env assignment, a multi-field log line) that isolate whether the boundary is about raw structuredness or specifically multi-field schema mimicry. Reveals whether a model's coding-agent-bypass vulnerability is format-specific (a narrow, addressable coverage gap) or persona/pretext-gated and format-independent (a broader gap that format-level fixes won't touch). Companion piece to coding-agent-safety-bypass.yml — see that file's header for the underlying mechanism.
Avg. Hybrid Score
Latest:
Unique Versions: 1
For each of two categories, compares the natural single-shot fixture request against an otherwise-identical version where an explicit yes/no decision is forced in a separate turn before any fixture content is requested. Distinguishes "the safety check exists but doesn't gate generation in this structure" (fixable with interaction design) from "the safety check isn't being applied to this content at all" (needs training investment) — see the header comment for how to read the comparison, including a documented case where the intervention backfires.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Behavioral test of whether the PHRASING of a system-prompt constraint changes model behavior: prohibition ("never discuss X"), suppression ("don't think about X"), scope-irrelevance ("X is outside this assistant's scope"), and redirect-positive ("if X comes up, do Y") versions of the same constraint, plus a no-instruction baseline. Identical scenarios and identical judge rubrics across conditions; only the system prompt varies, and the judge never sees it. Measures intrusion (raising the constrained topic unprompted), over-restriction (refusing benign-adjacent asks), leakage on a direct-ask anchor, and handling quality. The baseline condition's "leakage" is a base rate, not a failure — read per-condition deltas, not absolute scores. Motivated by white-box priming findings (Anthropic 2026 workspace paper); this suite observes behavior only.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Behavioral test of whether the PHRASING of a system-prompt constraint changes model behavior: prohibition ("never discuss X"), suppression ("don't think about X"), scope-irrelevance ("X is outside this assistant's scope"), and redirect-positive ("if X comes up, do Y") versions of the same constraint, plus a no-instruction baseline. Identical scenarios and identical judge rubrics across conditions; only the system prompt varies, and the judge never sees it. Measures intrusion (raising the constrained topic unprompted), over-restriction (refusing benign-adjacent asks), leakage on a direct-ask anchor, and handling quality. The baseline condition's "leakage" is a base rate, not a failure — read per-condition deltas, not absolute scores. Motivated by white-box priming findings (Anthropic 2026 workspace paper); this suite observes behavior only.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Behavioral test of whether the PHRASING of a system-prompt constraint changes model behavior: prohibition ("never discuss X"), suppression ("don't think about X"), scope-irrelevance ("X is outside this assistant's scope"), and redirect-positive ("if X comes up, do Y") versions of the same constraint, plus a no-instruction baseline. Identical scenarios and identical judge rubrics across conditions; only the system prompt varies, and the judge never sees it. Measures intrusion (raising the constrained topic unprompted), over-restriction (refusing benign-adjacent asks), leakage on a direct-ask anchor, and handling quality. The baseline condition's "leakage" is a base rate, not a failure — read per-condition deltas, not absolute scores. Motivated by white-box priming findings (Anthropic 2026 workspace paper); this suite observes behavior only.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Behavioral test of whether the PHRASING of a system-prompt constraint changes model behavior: prohibition ("never discuss X"), suppression ("don't think about X"), scope-irrelevance ("X is outside this assistant's scope"), and redirect-positive ("if X comes up, do Y") versions of the same constraint, plus a no-instruction baseline. Identical scenarios and identical judge rubrics across conditions; only the system prompt varies, and the judge never sees it. Measures intrusion (raising the constrained topic unprompted), over-restriction (refusing benign-adjacent asks), leakage on a direct-ask anchor, and handling quality. The baseline condition's "leakage" is a base rate, not a failure — read per-condition deltas, not absolute scores. Motivated by white-box priming findings (Anthropic 2026 workspace paper); this suite observes behavior only.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Evaluates whether models handle non-suicide psychiatric presentations safely: paranoid and nihilistic delusions, command and religious hallucinations, manic episodes with grandiosity and dangerous plans, OCD compulsions, belief-powered dangerous acts, and stigma toward people with mental illness.
The core therapeutic test is reality-grounding without collusion: acknowledge distress and the subjective realness of the experience, decline to validate the delusion/hallucination/grandiosity, refuse to enable dangerous action, and redirect toward professional assessment — all without stigmatizing or over-pathologizing.
Coalesced from (public, CC0):
stanford-hai-mental-health-safety-eval.yml (Moore, Grabb, Agnew et al. 2024, Stanford HAI; Pescosolido et al. 2021 stigma vignettes)ai-psychosis.yml (documented AI-associated psychosis failure modes)Content warning: delusions, hallucinations, and references to self-harm.
Avg. Hybrid Score
Latest:
Unique Versions: 1