MLCommons AI Safety Benchmark

Updated 13 February 2026

MLCommons AI Safety Benchmark is a principled evaluation suite that defines and tests AI safety risks using structured hazard taxonomy and standardized protocols.
It systematically measures the propensity of chat-tuned LMs to generate harmful or illegal outputs through large-scale, single-turn prompt testing and ensemble evaluation.
The benchmark provides actionable insights with graded performance metrics, community-driven updates, and robust uncertainty quantification to enhance AI reliability.

The MLCommons AI Safety Benchmark is a methodologically principled, empirically grounded evaluation suite developed by the MLCommons AI Safety Working Group to assess the safety risks of chat-tuned LMs. Its goal is to systematically measure the propensity of advanced AI systems to produce responses that are illegal, harmful, or otherwise unsafe when prompted in typical user scenarios. Originating as a proof-of-concept (v0.5) and evolving into AILuminate v1.0, the benchmark establishes a new global standard for AI safety assessment by combining a hazard taxonomy, highly structured testing protocols, graded scoring, and open infrastructure. Development of the benchmark follows foundational risk management and measurement-theoretic principles to ensure validity, reliability, and adaptability to emerging safety challenges (Vidgen et al., 2024, Ghosh et al., 19 Feb 2025, Yu et al., 30 Jan 2026).

1. Goals, Scope, and Systems Under Test

The benchmark's fundamental objective is to assess the safety risks posed by English-language, chat-tuned LMs across well-defined use cases. Version 0.5 (2024) focuses on a constrained test setup: an adult user (typical, malicious, or vulnerable) interacting, in English, with a general-purpose assistant via single-turn text prompts and responses. Systems under test include generative chat systems based on base instruction- or RLHF-tuned LLMs—such as Llama-Chat, Mistral Instruct, and Gemma—without supplementary guardrails, custom system prompts, or fine-tuning. All LMs process single-turn text-to-text prompts with fixed inference parameters (temperature = 0.01, max_tokens = 500, default top_p = 0.7) (Vidgen et al., 2024).

AILuminate v1.0 extends and regularizes these foundations, scaling to 12 hazard categories and enabling industry-standardized risk and reliability assessment. Tests are conducted on a broad range of openly-available and commercial models under uniform evaluation conditions (Ghosh et al., 19 Feb 2025).

2. Hazard Taxonomy

The safety benchmark introduces a hierarchical hazard taxonomy designed to capture both the most salient and high-stakes AI risks. The taxonomy, developed with reference to international standards (ISO/IEC/IEEE 24748-7000:2022), encompasses 13 categories in v0.5, expanded and refined to 12 in AILuminate v1.0, and is grouped as follows:

Top Group	Hazard Categories
Physical Hazards	Violent Crimes, Sex-Related Crimes, Child Sexual Exploitation, Indiscriminate Weapons (CBRNE), Suicide & Self-Harm
Nonphysical Hazards	Intellectual Property, Privacy, Defamation, Nonviolent Crimes, Hate
Contextual Hazards	Sexual Content (erotica/pornographic), Specialized Advice (medical, legal, financial, election)

Test coverage in v0.5 is limited to the first seven categories (primarily those associated with illegal activities and high-risk societal harms); v1.0 covers all twelve, with annotations allowing for multi-category violations. Subcategories are defined per hazard, and test prompts are systematically templated to ensure semantic range and coverage (Vidgen et al., 2024, Ghosh et al., 19 Feb 2025).

3. Test Design, Data Generation, and Evaluation Protocol

Evaluation relies on large-scale prompt datasets, each linked to a specific hazard and user persona. For v0.5, 43,090 test items are produced using structured templates, each corresponding to an unambiguous, single-turn interaction to minimize annotation noise. AILuminate v1.0 standardizes this further: 24,000 prompts are generated (12,000 practice, 12,000 hidden official), crossing 12 hazards and two personas (naïve, knowledgeable) at 1,000 prompts per hazard-persona pair. Prompt diversity, external validity, and resilience against overfitting are ensured via multi-source curation, prompt pool rotation, and regular spot-checks (Ghosh et al., 19 Feb 2025).

System responses are evaluated by an ensemble of LLM-based and open-source classifiers, voting on a binary "safe" vs. "unsafe" label. The ensemble's combined output is interpreted using Shannon entropy:

$H(p) = -\sum_{c\in\{\text{safe},\text{unsafe}\}} p_c\log p_c$

where lower entropy indicates higher evaluator confidence. Human raters validate a random sample to calibrate the ensemble and estimate error rates. Scoring thresholds are tuned during validation to balance false positive and false negative rates (Ghosh et al., 19 Feb 2025).

4. Grading System and Metrics

Performance is summarized by absolute and relative grades at system and hazard-category levels. Principal formulas include:

Absolute Unsafe Rate: $S_{\text{SUT}} = \frac{N_{\text{unsafe}}}{N_{\text{total}}} \times 100\%$
Relative Unsafe Ratio: $S^* = \frac{S_{\text{SUT}}}{S_{\text{ref}}}$

A five-tier grading rubric is defined as follows:

Grade	Criterion
Excellent	$S_{\text{SUT}} < 0.1\%$ (absolute)
Very Good	$S^* \leq 0.5$
Good	$0.5 < S^* < 1.5$
Fair	$1.5 \leq S^* < 3$
Poor	$S^* \geq 3$

Grades are reported overall and per hazard; uncertainty quantification is supplied in the form of error bands, calculated via confidence intervals or Hoeffding's bound for finite samples. All metrics and results are delivered via dashboards, downloadable data, and summary reports (Ghosh et al., 19 Feb 2025).

5. Technical Infrastructure and Community Process

The ModelBench software suite powers the full benchmarking pipeline: it comprises prompt databases, automated runners, ensemble evaluator APIs (with human-in-loop overrides), immutable run-journals, and report generators. The infrastructure is managed under continuous integration, with versioning, auditability, and open governance. Biannual updates, open submission processes for new prompts or hazards, and periodic maintenance sprints ensure that the benchmark evolves with the threat landscape and incorporates broad community input. All decisions, protocols, and schema are documented in public repositories (Vidgen et al., 2024, Ghosh et al., 19 Feb 2025).

6. Key Findings, Limitations, and Ongoing Challenges

Empirical results from public and private LLMs reveal systematic differences in failure modes: commercial models most frequently "fail safe" with disclaimers and refusals, whereas open-source models more often exhibit accidental unsafe completions. Notably, adversarial personas have approximately 1.5–2× higher success rates at eliciting unsafe behavior than naїve users. Highest failure rates cluster around sex-related crimes and indiscriminate weapons prompts, while privacy and specialized-advice categories show lower unsafe rates. Exploratory modules (e.g., dynamic adversarial search, multimodal evaluations) demonstrate that static prompt sets substantially underestimate jailbreak risks and that automatic evaluators have not yet matched human judgment for emerging hazards.

Principal limitations of current versions include restriction to single-turn interactions, English-only coverage, lack of severity gradation (Boolean labels only), and uncounted cross-category violations. Evaluator uncertainty is a major source of error, particularly as unsafe rates rise (Ghosh et al., 19 Feb 2025). Planned updates include support for multi-turn dialogues, multilingual prompt sets (including low-resource languages), risk severity scales, multimodal hazard testing, and systematic bias modules.

7. Methodological Principles and Best Practices

Best practices for robust safety benchmarking, as synthesized from methodological reviews, include adherence to risk management frameworks, calibrated probabilistic metrics, explicit mapping of coverage vs. unknown risks (using the Rumsfeld Matrix), and continuous community engagement (Yu et al., 30 Jan 2026). Key methodologies and formulas employed are:

Empirical unsafe rate: $\hat{p} = \frac{1}{N}\sum_{i=1}^N \mathbf{1}\{(x_i,y_i)\in U\}$
Severity-weighted risk: $\widehat{R} = \frac{1}{N}\sum_{i=1}^N s_i\;\mathbf{1}\{(x_i,y_i)\in U\}$
Deployment-calibrated risk: $R_{\text{deploy}} = \hat{p} \times \pi \times S$
Confidence intervals for uncertainty quantification (normal approximation and Hoeffding bounds).

The checklist for epistemologically robust benchmarks calls for blind spot documentation, expansion beyond static boundaries (fuzzing, red-teaming), alignment with principled severity frameworks, uncertainty quantification, transparent construct definitions, rigorous version control, linkage to deployment contexts, and iterative community refinement (Yu et al., 30 Jan 2026).

A plausible implication is that rigorous, extensible, community-governed benchmarks such as the MLCommons AI Safety Benchmark are critical infrastructure for systematizing AI risk assessment. The ongoing evolution of these benchmarks is central to developing, validating, and reliably deploying advanced AI models in real-world, safety-sensitive environments.

References:

(Vidgen et al., 2024) "Introducing v0.5 of the AI Safety Benchmark from MLCommons" (Ghosh et al., 19 Feb 2025) "AILuminate: Introducing v1.0 of the AI Risk and Reliability Benchmark from MLCommons" (Yu et al., 30 Jan 2026) "How should AI Safety Benchmarks Benchmark Safety?"