Policy Framework Evaluation

Companies like Anthropic, OpenAI, and Google DeepMind have started to adopt AI safety frameworks. In our new paper, we propose a grading rubric that can be used to evaluate these frameworks. Download the paper: https://lnkd.in/e2ZnMyYT 📄 Title: A Grading Rubric for AI Safety Frameworks 🎓 Authors: Jide Alaga, Jonas Schuett, Markus Anderljung 🌎 Background In the past year, AI companies have started to adopt AI safety frameworks. This includes Anthropic’s Responsible Scaling Policy (RSP) (https://lnkd.in/eTppfSBi), OpenAI’s Preparedness Framework (https://lnkd.in/ewdWzvHW), and Google DeepMind’s Frontier Safety Framework (https://lnkd.in/dvi9eiEX). Other companies have signaled their intent to publish similar frameworks soon. At the AI Seoul Summit 2024, 16 companies including Meta, Microsoft, and xAI signed the Frontier AI Safety Commitments (https://lnkd.in/eKCJJGcp), in which they commit to publish their own frameworks by the AI Action Summit in France early 2025. 💡 What are AI safety frameworks? AI safety frameworks are risk management policies intended to keep the potential risks associated with developing and deploying frontier AI systems to an acceptable level. These frameworks typically focus on catastrophic risks (e.g. from the use of chemical or biological weapons, cyberattacks, or loss of control). They specify, among other things: (1) how developers analyze the potential ways in which AI systems could lead to catastrophic outcomes, (2) how they gather evidence about a system’s capabilities, (3) what safety measures would be adequate for a given level of capabilities, and (4) how developers intend to ensure that they adhere to the framework and maintain its effectiveness. 📋 Grading rubric To enable governments, researchers, and civil society to pass judgment on AI safety frameworks, we propose a new grading rubric. The rubric consists of seven evaluation criteria divided into three categories: (1) Effectiveness: Would the framework, if adhered to, keep risks to an acceptable level? (2) Adherence: Will the company adhere to the framework? (3) Assurance: Can third parties provide assurance that the framework would keep risks to an acceptable level and that the company will adhere to it? We also propose 21 corresponding indicators that concretize the criteria. ⭐️ Quality tiers The evaluation criteria can be graded on a scale from A (gold standard) to F (substandard). The tiers are defined in terms of (1) how much the frameworks satisfy the specified evaluation criteria, (2) how much room for improvement they leave, and (3) to what extent the demonstrated level of effort is commensurate with the stakes.

Your board just approved a $2 million security budget. New EDR. SIEM upgrade. Threat intelligence platform. Zero Trust architecture. But here's what nobody's asking: Does your policy framework actually support what you're about to build? I've watched organizations invest millions in security technology while their policy foundation—the bedrock on which everything else depends quietly crumbles beneath them. Here's the reality most security leaders don't want to acknowledge: Your policies were written for a world that no longer exists. Think about when your current policy library was created. For most organizations, it was before cloud adoption transformed their infrastructure. Before remote work became permanent. Before AI was introduced, entirely new categories of data risk were introduced. Your business has fundamentally changed. Your threat landscape has evolved beyond recognition. Your regulatory environment has expanded dramatically. Your policies? Still written for 2019. This creates a gap that's invisible until it becomes catastrophic. You're implementing a Zero Trust architecture, but your access control policies assume a castle-and-moat network. You're adopting AI tools, but your data governance policies don't address algorithmic decision-making. You're protecting a remote workforce, but your acceptable use policies were written for office workers. The technology keeps advancing. The business keeps evolving. The policies stay frozen in time. Your policies aren't just documentation that sits in a SharePoint folder. They're the constitutional foundation of your entire security program. Everything you want to enforce must first exist in policy. Every control you implement derives its authority from documented standards. Every audit, every regulatory exam, every legal proceeding will ask: What did your policies require? If that foundation is weak, outdated, or disconnected from your current reality, everything built on top of it is structurally unsound - no matter how impressive your technology stack looks. The policies don't match the reality. This is a leadership issue, not a compliance issue. The strength of your policy framework reflects the seriousness of your security commitment. Before your next security investment, ask: Does our policy framework provide the foundation for this investment to be meaningful? Can we enforce what we're about to implement? Do our documented standards reflect the security program we're trying to build? If you can't answer yes with confidence, you're building on sand. The most strategic security investment many organizations could make isn't another tool. It's about ensuring the policy foundation is strong enough to support everything else you're trying to achieve. Start there. Cyverity

"Drawing on our analysis of eight case studies prepared by independent academic and industry experts, this white paper proposes next steps to address AI evaluation and testing challenges and opportunities by: ・Synthesizing insights from the eight case studies, also published separately, and extracting lessons relevant to AI (Part 1); ・Surveying key multistakeholder initiatives that are driving AI evaluation science and practice forward (Part 2); and ・Presenting recommendations for policymakers aiming to advance the AI evaluation and testing ecosystem and strengthen AI governance (Part 3). ... While approaches to risk evaluation and testing vary significantly across the case studies, there was one consistent, top-level takeaway: evaluation frameworks always reflect trade-offs among different policy objectives, such as safety, efficiency, and innovation.   Experts across all eight fields noted that policymakers have had to weigh trade-offs in designing evaluation frameworks. These frameworks must account for both the limits of current science and the need for agility in the face of uncertainty. They likewise agreed that early design choices, often reflecting the “DNA” of the historical moment in which they’re made, as cybersecurity expert Stewart Baker described it, are important as they are difficult to scale down or undo later.  Strict, pre-deployment testing regimes—such as those used in civil aviation, medical devices, nuclear energy, and pharmaceuticals—offer strong safety assurances but can be resource-intensive and slow to adapt. These regimes often emerged in response to well-documented failures and are backed by decades of regulatory infrastructure and detailed technical standards.   In contrast, fields marked by dynamic and complex interdependencies between the tested system and its external environment—such as cybersecurity and bank stress testing—rely on more adaptive governance frameworks, where testing may be used to generate actionable insights about risk rather than primarily serve as a trigger for regulatory enforcement.   Moreover, in pharmaceuticals, where interdependencies are at play and there is emphasis on pre-deployment testing, experts highlighted a potential trade-off with post-market monitoring of downstream risks and efficacy evaluation.  These variations in approaches across domains—stemming from differences in risk profiles, types of technologies, maturity of the evaluation science, placement of expertise in the assessor ecosystem, and context in which technologies are deployed, among other factors—also inform takeaways for AI."

World Economic Forum 𝗷𝘂𝘀𝘁 𝗽𝘂𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗲 𝗺𝗼𝘀𝘁 𝗰𝗼𝗺𝗽𝗿𝗲𝗵𝗲𝗻𝘀𝗶𝘃𝗲 𝗳𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗼𝗻 𝗔𝗜 𝗮𝗴𝗲𝗻𝘁 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 I've seen in December. In my two recent roles, we've deployed agents that optimize digital content on marketplaces, run retail media campaigns on platforms, create replenishment POs to prevent OOS, and identify opportunities for promotions or price increases. But here's my candid observation: most of us are moving faster than our governance frameworks can handle. This report adds a new perspective to the conversation. 𝗪𝗵𝗮𝘁'𝘀 𝗶𝗻𝘀𝗶𝗱𝗲: ⬇️ 1. Technical architecture breakdown: application, orchestration, and reasoning layers—plus protocols like MCP and A2A that enable agent interoperability across enterprise systems. 2. 7-dimensional classification system: role, autonomy, authority, predictability, function, use case, and environment. This helps you understand exactly what level of risk you're dealing with. 3. Real-world evaluation framework: task success rates, completion time, tool-use accuracy, edge case robustness, and trust indicators. Finally, practical metrics for production deployment. 4. Risk assessment lifecycle: a 5-step process from defining context to managing residual risk—mapped directly to agent capabilities and deployment scenarios. 5. Progressive governance model: baseline controls for every agent (access, monitoring, testing, human oversight), with safeguards that scale as autonomy and authority increase. 6. Multi-agent ecosystems: the future isn't single agents—it's networks of agents that negotiate, transact, and collaborate. The report covers emerging risks like drift, misalignment, and cascading failures. 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 𝗳𝗼𝗿 𝗖𝗣𝗚: ➜ Don't underestimate agents, they're not glorified chatbots; they are powerful and act on a much higher decision-making efficiency. They're making decisions on inventory, pricing, promotions, and customer data. ➜ Without classification, you can't assess risk. Without evaluation, you can't validate performance. Without governance, you're flying blind. Time to learn what's running under the hood. ➜ The framework gives you a playbook: start with low-autonomy agents, test rigorously, scale governance as capabilities grow. And don't rely on your IT and data science teams, get your hands dirty, please, even by watching and getting involved only. ➜ This isn't academic, from what I can tell, it's designed for practitioners who need to deploy safely today while preparing for multi-agent ecosystems tomorrow. The bottom line: adoption without governance is reckless. Governance without practical frameworks is paralysis. This report gives us both. Full paper is here: https://lnkd.in/eVuBJWps #AI #AIAgents #CPG #FMCG #Enterprise #Governance #Innovation

Government interventions against ransomware are increasing. Arrests, infrastructure takedowns, sanctions, indictments, public exposure etc. But how do we assess their impact? Together with Jamie MacColl, Sophie Williams-Dunning and Bob Herczeg, we have just published a new Virtual Routes Pharos Series report: 'Assessing the Impact of Ransomware Interventions and Countermeasures: A Framework'. The research was funded by the Auswärtiges Amt (Federal Foreign Office) Germany. The starting point is simple: there is no shared, structured way to evaluate the impact of government interventions against ransomware actors. Some operations look dramatic, others are quiet; some appear decisive, others fade quickly. Without a common framework, assessments become anecdotal and episodic. So we developed one. The framework evaluates government-led interventions across four dimensions: severity, scope, longevity (and reversibility), and signalling value. It is designed for real-world use, supports graded assessment rather than false precision, and distinguishes between actor-level effects and broader ecosystem consequences. Most importantly, it makes trade-offs visible. To illustrate how it works, we apply it to cases involving REvil, Emotet, Hive, and LockBit. Grateful to many colleagues in the field for their feedback along the way. If we want cumulative learning in government counter-ransomware policy, we need a shared analytical language. This report is a step in that direction.

Effectiveness is now the real test of AML/CFT frameworks. This new Egmont Group research looks beyond technical compliance and focuses on what really matters under the FATF methodology: how Financial Intelligence Units perform in practice. The paper takes a horizontal view across Mutual Evaluation Reports and highlights recurring factors that consistently influence effectiveness ratings, particularly around: • the real use of financial intelligence by law enforcement • FIU independence, resourcing, and analytical capability • quality and timeliness of STR/SAR reporting • international cooperation under R.29 and R.40 • feedback loops between FIUs, supervisors, and reporting entities One clear takeaway: having the legal framework in place is no longer enough. Jurisdictions that perform well are those where financial intelligence is actively used to support investigations, asset tracing, and prosecutions — not where it simply exists on paper. For anyone working in FIUs, supervision, policy, or AML programme design, this is a useful reference point as the 6th round of FATF evaluations moves further into an effectiveness-driven phase. 📄 The full paper is attached to this post. #AML #CFT #FIU #FATF #EgmontGroup #FinancialIntelligence #Supervision #RegulatoryEffectiveness

An important (and short!) new policy brief from Stanford Institute for Human-Centered Artificial Intelligence (HAI) titled "Validating Claims About AI: A Policymaker's Guide". Key Takeaways (from the paper) ✅ AI companies often use benchmarks to test their systems on narrow tasks but then make sweeping claims about broad capabilities like “reasoning” or “understanding.” This gap between testing and claims is driving misguided policy decisions and investment choices. ✅ Our systematic, three-step framework helps policymakers separate legitimate AI capabilities from unsupported claims by outlining key questions to ask: What exactly is being claimed? What was actually tested? And do the two match? ✅ Even rigorous benchmarks can mislead: We demonstrate how the respected GPQA science benchmark is often used to support inflated claims about AI reasoning abilities. The issue is not just bad benchmarks; it is how results are interpreted and marketed. ✅ High-stakes decisions about AI regulation, funding, and deployment are already being made based on questionable interpretations of benchmark results. Policymakers should use this framework to demand evidence that actually supports the claims being made. The authors present here, and in the full paper (linked in the comments), a framework to help #AIGP answer important questions regarding vendor claims. Seems like an important framework for all organizations, and especially for boards and C-suites. Dominique Shelton Leipzig James (de Gaspé) Bonar, Ph.D, PCC John Barker, Esq., AIGP, CCEP, CHPC, CHRC, CHC

Excited to share our latest work on advancing the evaluation of the Long-Term Real-World Impacts of AI-Powered tools in health care contexts published in JMIR Publications flagship journal. link to the paper —> https://lnkd.in/dzDA3syg While AI holds immense promise for transforming clinical outcomes and operational efficiency, its real-world adoption has been slower than expected. This is partly due to insufficient evaluation frameworks that take critical factors like clinical integration, economic sustainability, and real-world impact into account. Current evaluation methods fall short in several critical ways: ❌ Outdated frameworks that don’t reflect the dynamic, complex nature of AI in clinical environments ❌ Implementation gaps, with little guidance on integrating AI tools seamlessly into healthcare workflows ❌ Overemphasis on technical metrics like sensitivity and specificity, overlooking real-world effectiveness ❌ Lack of standardized methods that extend beyond controlled trials to real-world settings ❌ Insufficient validation of existing guidelines, with many frameworks missing transparent methodologies or stakeholder input ❌ Regulatory blind spots, one example is a recent study that showed that nearly 50% of FDA-approved AI devices lack clinical validation data To address these gaps, we developed AI for IMPACTS, a comprehensive framework that evaluates AI tools beyond technical performance and the confines of clinical studies, focusing on long-term, real-world outcomes. It’s structured around seven key dimensions: I: Integration, Interoperability & Workflow M: Monitoring, Governance & Accountability P: Performance & Quality Metrics A: Acceptability, Trust & Training C: Cost & Economic Evaluation T: Technological Safety & Transparency S: Scalability & Impact This framework is designed to guide AI’s successful adoption in diverse healthcare settings while ensuring safety, sustainability, and clinical value in real-world contexts. It lays the groundwork for further validation through expert consensus and testing of the framework in real-world health care settings. It is important to emphasise that multidisciplinary expertise is essential for assessment, yet many assessors lack the necessary training. In addition, traditional evaluation methods struggle to keep pace with AI’s rapid development. To ensure successful AI integration, flexible, fast-tracked assessment processes and proper assessor training are needed to maintain rigorous standards while adapting to AI’s dynamic evolution. A huge thank you to my brilliant co-authors Noe Brasier, Emanuele Laurenzi, Prof. Dr. Sabina Heuss, Stavroula-Georgia Mougiakakou, Arzu Çöltekin, and Prof Dr Marc K Peter for their outstanding contributions. 🙌 #AIinHealthcare #DigitalHealth #HealthTech #ArtificialIntelligence #HealthcareInnovation #AIEvaluation #HealthCareTransformation #RealWorldImpact #IMPACTSFramework #InterdisciplinaryResearch

The CDC has updated its Framework for Program Evaluation in Public Health for the first time in 25 years This is an essential resource for anyone involved in programme evaluation—whether in public health, community-led initiatives, or systems change. It reflects how evaluation itself has evolved, integrating principles like advancing equity, learning from insights, and engaging collaboratively. The CDC team describes it as a “practical, nonprescriptive tool”. The framework is designed for real-world application, helping practitioners to move beyond just measuring impact to truly understand and improve programmes. I particularly like the way they frame common evaluation misconceptions, including: 1️⃣ Evaluation is only for proving success. Instead, it should help refine and adapt programmes over time. 2️⃣ Evaluation is separate from programme implementation. The best evaluations are integrated from the start, shaping decision-making in real time. 3️⃣ A “rigorous” evaluation must be experimental. The framework highlights that rigour is about credibility and usefulness, not just methodology. 4️⃣ Equity and evaluation are separate. The new framework embeds equity at every stage—who is involved, what is measured, and how findings are used. Evaluation is about learning, continuous improvement, and decision-making, rather than just assessment or accountability. As they put it: "Evaluations are conducted to provide results that inform decision making. Although the focus is often on the final evaluation findings and recommendations to inform action, opportunities exist throughout the evaluation to learn about the program and evaluation itself and to use these insights for improvement and decision making." This update is a great reminder that evaluation should be dynamic, inclusive, and action-oriented—a process that helps us listen better, adjust faster, and drive real change. "Evaluators have an important role in facilitating continuous learning, use of insights, and improvement throughout the evaluation (48,49). By approaching each evaluation with this role in mind, evaluators can enable learning and use from the beginning of evaluation planning. Successful evaluators build relationships, cultivate trust, and model the way for interest holders to see value and utility in evaluation insights." Source: Kidder, D. P. (2024). CDC program evaluation framework, 2024. MMWR. Recommendations and Reports, 73.

Evaluating Professional-Facing Digital Health & AI Tools This report examines how six major health systems define evidence requirements for digital health and AI technologies used by healthcare professionals. It shows how classification frameworks and evidence standards determine predictability, scalability, and investment readiness for HCP-facing AI systems. Key Takeaways: 1️⃣ Shift toward function-based classification. Jurisdictions increasingly use purpose-driven frameworks (NICE, HAS, FDA CDS criteria) to align evidence expectations with intended use and clinical risk. 2️⃣ Evidence standards lag behind professional-facing AI. Most HTA processes still prioritise QALYs, while many HCP-facing tools deliver workflow or efficiency gains; NICE and HAS now allow CMA or CCA where these metrics are more appropriate. 3️⃣ Non-RCT designs gain acceptance. Pragmatic trials, observational studies, cluster RCTs and simulation-based research are increasingly recognised when traditional trials are impractical for adaptive digital tools. 4️⃣ Regulators formalise pathways for algorithm updates. FDA PCCPs, Canadian and South Korean conditional modification routes, and EU AI Act monitoring provisions enable predefined model changes and continuous oversight. Synthesis: The authors conclude that current evaluation systems insufficiently capture the value of HCP-facing digital and AI tools, especially those improving workflow, efficiency, or decision-making. They identify risks arising from mismatched evidence expectations, outdated HTA metrics, and fragmented classification approaches across jurisdictions. They recommend functional classification frameworks, proportionate evidence standards, Bayesian and adaptive evaluation methods, broader HTA metrics, and formalised pathways for algorithm evolution. ➡️ How should investors incorporate functional classification and dynamic evidence pathways when assessing scalability and reimbursement readiness for professional-facing AI solutions? 🔗 Source(s): Evaluation Framework for Health Professionals’ Digital Health and AI Technologies: Evidence-Based Policy Recommendations. van Kessel R., et al. LSE Consulting, 2025. #digitalhealth #healthinvesting #venturecapital #healthcareinnovation #governance