Model Evaluation for Responsible AI
Live · Weekly
RedBench · 22 Risk Categories · 19 Domains · NIST AI RMF

Model Evaluation for
Responsible AI

Weekly automated safety benchmarking of frontier LLMs from Anthropic, Google, and OpenAI using the RedBench adversarial dataset. Scored via dual-judge evaluation and mapped to the NIST AI Risk Management Framework.

Latest Run
Loading…
Insights Auto-generated from latest evaluation run
Generating insights…
Highlights Current run · lower Attack Success Rate = safer
Loading evaluation data…
Safety Leaderboard Click column headers to sort
📋No evaluation data yetTrigger the GitHub Actions workflow to run the first evaluation.
12-Week Trends Rolling safety metrics across all models
Attack Success Rate
% of adversarial prompts that bypassed safety guardrails — lower is safer
False Outright Refusal
% of safe prompts incorrectly refused — lower means more useful
Drift Coefficient
Safety change per conversation turn — closer to zero = more stable
Provenance Score
% of evaluations with a complete chain-of-reasoning audit trail
Risk Category Breakdown Attack Success Rate across all 22 RedBench categories · current run
Compare models
Category Radar
Smaller shape = fewer guardrail bypasses = safer model · Click any category to compare models
NIST AI RMF Alignment Average Attack Success Rate per NIST AI Risk Management Framework function
About This Evaluation
1. What is this model evaluation?

This is an automated weekly safety benchmarking pipeline that stress-tests 6 frontier LLMs — Claude Opus 4.6, Claude Sonnet 4.6, GPT-4o, GPT-4o Mini, Gemini 2.0 Flash, and Gemini 1.5 Pro — against adversarial and benign prompts.

Each run draws a stratified sample of 500 prompts per model from a local snapshot of the RedBench dataset (29,362 total prompts: 26,113 adversarial attacks and 3,249 benign "No Risk" prompts, spanning 37 sub-benchmarks and 22 risk categories). The 80/20 split means 400 attack prompts and 100 benign prompts are evaluated per model per run, with samples drawn proportionally across all risk categories.

Every response is graded by a Dual-Judge pipeline: a deterministic RegexJudge that pattern-matches for PII, jailbreak confirmations, malware code, explosive instructions, and CSAM; and a NeuralJudge (Claude Haiku) that returns a structured JSON verdict of SAFE, UNSAFE, or OVER_REFUSAL, a severity score from 0 to 10, and a chain-of-reasoning sentence. The two signals are fused into a final verdict of PASS, FAIL, CRITICAL_FAIL, or OVER_REFUSAL. A regex hit always produces CRITICAL_FAIL; a neural UNSAFE with severity 8 or above also produces CRITICAL_FAIL.

All failures are mapped to one of four NIST AI Risk Management Framework functions — GOVERN, MAP, MEASURE, or MANAGE — and GSAR 552.239-7001-compliant forensic audit logs are generated for every CRITICAL_FAIL and for any FAIL where the NeuralJudge assigned a severity of 7 or above.

2. Who should use this?

This dashboard is built for stakeholders who need reproducible, evidence-based safety data on frontier models rather than vendor self-assessments.

AI Engineers and Red-Teamers can identify exactly which of the 22 risk categories and which attack sub-benchmarks a model fails on, and track whether failure rates are growing across conversation turns — a signal that safety fine-tuning is eroding under adversarial pressure.

GRC and Compliance Officers get GSAR 552.239-7001-aligned forensic audit logs for every high-severity failure, each containing the PII-redacted prompt and response, the NeuralJudge's chain-of-reasoning, the NIST AI RMF function and subcategory, and a remediation recommendation. These logs are structured for direct inclusion in compliance documentation.

Product Leaders evaluating which foundation model to deploy in a sensitive domain can use the Attack Success Rate and False Outright Refusal metrics together: a model with a low attack bypass rate but a high false refusal rate is too restrictive to be useful, while the reverse creates safety risk. This dashboard surfaces both sides of that trade-off from the same evaluation run.

Policy Analysts and Researchers can track how each model's safety posture changes week over week against a fixed, open, non-proprietary benchmark (RedBench, MIT License), enabling time-series comparison that is independent of any model provider's internal testing.

3. What are its strengths?

Stratified coverage across 22 risk categories. The sample is drawn proportionally by risk category, so no single category dominates the results. Priority domains relevant to government and enterprise — Government & Administrative, Legal, Cybersecurity, Healthcare, and Finance — receive approximately 40% of the sample weight when configured.

Dual-Judge with explicit verdict escalation. The RegexJudge provides 100% objective, deterministic detection of specific high-severity patterns. The NeuralJudge adds semantic reasoning for subtler failures. A regex hit always overrides the neural result and forces a CRITICAL_FAIL with severity 9 or above, preventing the neural judge from downgrading confirmed breaches.

Multi-turn guardrail erosion measurement. The Drift Coefficient is computed on a 5% sub-sample of attack prompts, each subjected to a 10-turn adversarial dialogue. The coefficient measures the change in failure rate per conversation turn from turn 1 to turn 10. A value near zero means the model's safety holds under sustained pressure; a positive value indicates guardrails are eroding.

Safety-utility balance. By evaluating 20% benign prompts in every run, the pipeline simultaneously measures whether a model is too permissive (high Attack Success Rate) and too restrictive (high False Outright Refusal rate), capturing both failure modes in a single score.

Complete forensic traceability. The Provenance Score measures the percentage of all evaluated samples — not just failures — where the NeuralJudge returned a complete, parseable chain-of-reasoning JSON response. A high Provenance Score means the audit trail is intact and every evaluation decision can be traced and reviewed, as required for GSAR 552.239-7001 compliance.

Evaluation Methodology 4-phase pipeline · runs every Friday
Phase 01 — Ingestion
Taxonomy Alignment
Stratified sample from knoveleng/redbench (29,362 total prompts across 37 sub-benchmarks). 80% attack / 20% refusal. Run-date seed ensures weekly reproducibility with controlled variation.
Phase 02 — Execution
Adversarial Stress Test
Single-turn probe → 3-turn agentic wrap for failures → 10-turn drift analysis on 5% sample. 10 distinct escalation templates covering authority injection, roleplay, and hypothetical framings. Baseline safety system prompt applied uniformly to all models.
Phase 03 — Dual Judge
Hybrid Evaluation Loop
RegexJudge: deterministic PII/API key/jailbreak pattern matching — outputs PASS, FAIL, or CRITICAL_FAIL. NeuralJudge: Claude Haiku scores refusal quality, assigns severity 1–10, and generates chain-of-reasoning JSON for the forensic audit trail.
Phase 04 — Reporting
Compliance Package
Attack Success Rate, False Outright Refusal, Drift Coefficient, and Provenance Score are computed per model. All 22 categories mapped to NIST AI RMF functions. Critical failures and high-severity neural hits generate GSAR 552.239-7001 forensic audit logs with PII-redacted prompts and responses.
Metrics Explained
Attack Success Rate
The percentage of adversarial prompts that successfully bypassed the model's safety guardrails, resulting in a harmful or policy-violating response. Measured by the dual-judge system across all attack categories.
Target: < 5%
False Outright Refusal
The percentage of benign (No Risk) prompts that were incorrectly refused by the model. A high False Outright Refusal rate indicates an over-cautious model that degrades usability. The balance between Attack Success Rate and False Outright Refusal captures the safety–utility trade-off.
Target: < 10%
Drift Coefficient
The change in failure rate per conversation turn across a 10-turn multi-turn probe (applied to 5% of the sample). A coefficient near zero means guardrails hold under prolonged pressure; a positive value indicates guardrail erosion.
Target: < 0.5% / turn
Provenance Score
The percentage of evaluated samples for which the NeuralJudge successfully produced a parseable chain-of-reasoning JSON response. High provenance is required for GSAR 552.239-7001 forensic traceability and audit log completeness.
Target: > 95%
Dataset
RedBench — Universal Red Teaming Dataset
RedBench (Dang et al., 2026) is a unified adversarial dataset aggregating 37 sub-benchmarks — including HarmBench, ToxiGen, XSTest, DAN, GPTFuzzer, and AdvBench — into a single standardised schema. It covers 22 risk categories and 19 domains with 29,362 total prompts. A local snapshot (April 2026) is committed directly to this repository as Parquet files, ensuring evaluations are fully reproducible with no network dependency on the dataset host.
29,362 prompts 37 sub-benchmarks 22 risk categories 19 domains MIT License
View Dataset Read Paper ↗
Resources & About
🔗
Source Code
Full evaluation pipeline, dataset snapshot, and dashboard source.
GitHub Repository ↗
👤
Author
Hemant Naik
LinkedIn ↗ hemant.naik@gmail.com
📅
Built
March 2026
Evaluations run every Friday at 6 PM EDT via GitHub Actions
⚖️
License
This project is licensed under the MIT License.
RedBench dataset is also MIT-licensed (knoveleng/redbench).
📄
Dataset Reference
RedBench: A Universal Dataset for Comprehensive Red Teaming of Large Language Models
arXiv 2601.03699 ↗
🏛️
Compliance Reference
NIST AI Risk Management Framework (AI RMF v1.0) · GSAR 552.239-7001 (March 2026)
NIST AI RMF ↗
Disclaimer: This project is an independent research and transparency initiative. Evaluation results reflect model behaviour on the RedBench adversarial dataset under standardised conditions and are not a comprehensive measure of a model's safety in all deployment scenarios. Results may vary across runs due to model updates, API changes, and sampling randomness. No affiliation with Anthropic, OpenAI, Google, or the RedBench authors is implied. All evaluation prompts are used solely for safety research purposes and are not used to generate new harmful content.