I don't think people appreciate how genuinely hard the position you and the other assessors are in.
Imagine having a sibling who tells you everything (you're the only one who actually knows them), but the day they do something seriously wrong you can't actually tell your parents because it ruins the whole relationship.
You can choose not to tell so you keep the visibility, but then you're kind of complicit. So either way you lose something, access or integrity.
One real world example I'm reminded of is Enron. The outside firm hired to audit their books (Arthur Andersen) stayed quiet because Enron was too big a client to lose. The fraud ran for years and eventually took both of them out. That's the same thing we're seeing here: the side being checked is valuable enough that the checker can't afford to upset them.
Two things feel impossible to get around:
1. You might not be able to reply with full honesty, and that's the whole point.
2. Regulation is the obvious historical fix, but governments are not clean either.
Thanks @Buck for your notes on third-party risk assessment. You made the different parts that get lumped together legible. In particular fact-generation vs evidence analysis, and the two types of information laundering (whether it's the company's secrets being hidden or the assessor's) are now stuck with me.
As someone trying to find my break into AI safety, I really appreciate this rare and honest picture of what I'm walking into before I do (hopefully).
Yeah. I agree that that tension is pretty concerning. I have read about Enron (as well as most of the other famous examples of corporate disasters) and am definitely somewhat inspired by that.
I'll note that Redwood is actually mostly not in the bind you describe; we aren't very dependent on official relationships with AI developers; us getting blackballed from official relationships with them would be a bummer but by no means an existential threat.
There are many different activities that could be described as "third-party risk assessment". Here are some distinctions that I’ve found helpful thinking about the space over the last few weeks.
(Thanks Ajeya Cotra and Paul Christiano for discussions that inspired most of this.)
Throughout this, I refer to the actors as:
The next step in the analysis will be to think about different objectives of third party risk assessment and think about how those interact with these axes of variation.
Axes
Fact generation vs evidence analysis
This is maybe the one that comes up most. I'll define:
I think that evidence analysis vs fact generation are pretty different and it's not obvious that any projects or organizations should do both. The skillsets seem plausibly very different. Like, I suspect that during the main risk period, only a pretty small subset of the facts relevant to the risk analysis should be generated by third parties (as opposed to being reported by the company). So someone doing evidence analysis will naturally be operating several steps in the "evidence tree" away from someone generating a fact. And so I'm not sure there's that much synergy for these happening as part of the same project. E.g. I don't think it would be particularly useful for the security pentesters to work at the same org that does the overall assessment.
I think it's pretty weird that these are conflated so often (e.g. in lots of the widely-cited papers about AI auditing or evaluations like Frontier AI Auditing and Model Evaluation for Extreme Risks), they seem really different to me.
Laundering private evidence into sharable conclusions?
One function of risk analyses is to inform a stakeholder about the risks posed by a developer. One strategy is to have an auditor who access private information from the developer and uses it to answer a question, and then they give the answer to that question to the stakeholder without telling them the private information that caused them to reach that conclusion. The other option is to do the risk analysis just based on information that the stakeholder already knows (or is cleared to know).
In this post, I call this “evidence-laundering”. I don’t mean this with a negative connotation and will probably choose a different term in future because the negative connotation is so strong. I just wanted a distinct term that emphasizes that information is being processed from private evidence to public conclusions to reduce disclosure of commercially sensitive information.
I think I want to define this as: did the conclusion of a report rely on facts that were not stated in the report? So it's not evidence-laundering if you report a straightforward fact that your readers need to believe that you're not straightforwardly lying about because they can't personally check it. But it is evidence-laundering if you don't report the facts and instead report "based on private facts, things look ok".
Examples of the evidence-laundering strategy:
Examples of the just-public-evidence strategy
The core strategic question here is definitely "when should you use evidence-laundering vs transparency".
A few notes:
Incentive compatibility vs calibration
Should you give bad scores to developers if they don't give you sufficient access, or should you just use your best guess? If you do the latter, then anyone performing surprisingly poorly is better off not disclosing this. But if you do the former, then your risk assessments can’t be taken at face value by third parties, and it’s easier for AI developers to discredit you by saying “that org has no idea what’s going on, obviously we’re way safer than they think”. This probably works especially well when they’re trying to discredit you to their employees or other groups who have more access to private info. As an example of that dynamic, AI Lab Watch initially rated Google poorly on security due to them not disclosing much about their security, and this led some GDM people to say they thought it was less credible or usable.
As I said in the previous section, it's maybe rough to get stakeholders on board with risk assessments that assume the worst, but maybe it's doable and I think we should plausibly try to achieve this.
Current risk vs preparedness
Are you answering a question like "are the current risks adequately handled" or are you answering "is this developer on track to handle risks later"?
The downside of analyzing current risks is that they're inconsequential and will probably be inconsequential up until shortly before they're severe.
The downside of analyzing preparedness is that you have to be much more opinionated about futurism and threat models; your reports will rely on assumptions that are much more contentious.
Cross-developer comparability
Are you trying to make it easy or hard to compare between companies?
I think that cross-developer comparability makes much more sense if you're doing evidence analysis, because evidence-analysis assessments are more comparable between companies.
So kind of obviously, I think that the choice between these is basically a tradeoff between different goals: if you mostly want to pressure AI companies to behave better, then comparability is good; if you mostly want to inform stakeholders about the overall level of risk, then comparability is probably bad if you were also trying to do evidence laundering, because it makes it more costly for developers to share info with you.
Examples, classified against the axes above
Project
Fact gen vs evidence analysis
Company laundering
Auditor laundering
Current vs preparedness
Cross-developer comparability
Reviewer vs producer
Dangerous-capability evals (METR, UK AISI)
Fact gen
No
Yes
Now
Easy
Producer
Classifier-robustness red-teaming for misuse prevention
Fact gen
No
Yes
Now
Easy
Producer
David Rein's red-team of Anthropic monitors
Fact gen
Yes
No
Now
Hard
Producer
Security pen-testing
Fact gen
Yes
No
Now
Hard
Producer
CAISI DeepSeek evaluation
Fact gen
No
No
Now
Easy
Producer
Apollo in-context scheming evals
Fact gen
No
No
Now
Hard
Producer
METR review of Anthropic's sabotage risk report
Evidence analysis
Yes
No
Now
Hard
Reviewer
Redwood review of OpenAI CoT training, External review of DeepMind scheming-inability safety case
Evidence analysis
No
No
Now
Hard
Reviewer
METR Frontier Risk Report
Both
Slight (non-attribution)
No
Now
Very hard (deliberately)
Producer
AI Lab Watch, FLI AI Safety Index
Evidence analysis
No
No
Both
Easy
Producer
SaferAI risk-management maturity ratings
Evidence analysis
No
No
Prep
Easy
Producer
GovAI third-party compliance reviews (proposal)
Evidence analysis
Yes
No
Prep
Med
Reviewer
Brundage et al. AAL framework (proposal)
Both
Yes
No
Both
Easy (via AAL scale)
Both
The columns are far from independent: the whole table can be recovered by a short chain of single-question splits. The tree below is the chain that minimizes expected questions-to-classify. Note that auditor laundering occurs only at the fact-generation end, and evidence-analysis assessors only ever launder company secrets or nothing.