Expanding External Access To Frontier AI Models For Dangerous Capability Evaluations
Jacob Charnock, Alejandro Tlaie, Kyle O'Brien, Stephen Casper, Aidan Homewood
TL;DR
The paper addresses the lack of a concrete framework for external risk evaluations of frontier AI models by introducing a taxonomy that separates access into model access, model information, and evaluation time frame. It maps these dimensions to three descriptive Access Levels (AL1–AL3) aligned with the EU General-Purpose AI Code of Practice, arguing that deeper access can improve evaluation rigor and trust but requires safeguards to mitigate security and capacity risks. The main contributions are (i) a formal taxonomy of access methods, (ii) a three-level access framework, and (iii) a discussion of interdependencies and practical safeguards to enable safer, more informative external evaluations. This framework aims to standardize communication among evaluators, frontier AI companies, and policymakers and to guide future tooling and governance around structured external evaluations.
Abstract
Frontier AI companies increasingly rely on external evaluations to assess risks from dangerous capabilities before deployment. However, external evaluators often receive limited model access, limited information, and little time, which can reduce evaluation rigour and confidence. The EU General-Purpose AI Code of Practice calls for "appropriate access", but does not specify what this means in practice. Furthermore, there is no common framework for describing different types and levels of evaluator access. To address this gap, we propose a taxonomy of access methods for dangerous capability evaluations. We disentangle three aspects of access: model access, model information, and evaluation timeframe. For each aspect, we review benefits and risks, including how expanding access can reduce false negatives and improve stakeholder trust, but can also increase security and capacity challenges. We argue that these limitations can likely be mitigated through technical means and safeguards used in other industries. Based on the taxonomy, we propose three descriptive access levels: AL1 (black-box model access and minimal information), AL2 (grey-box model access and substantial information), and AL3 (white-box model access and comprehensive information), to support clearer communication between evaluators, frontier AI companies, and policymakers. We believe these levels correspond to the different standards for appropriate access defined in the EU Code of Practice, though these standards may change over time.
