Safety used to sound like a simple procurement question.
A vendor says its model is safe. The slide deck has benchmark scores. The scores have respectable names: accuracy, F1, safety score, refusal rate, attack success rate. Everyone nods, because familiar metric names create the soothing illusion that someone has already done the hard work.
Then the annoying question arrives: safe according to what measurement?
That is where the comfort collapses. The paper behind this article, AISafetyBenchExplorer: A Metric-Aware Catalogue of AI Safety Benchmarks Reveals Fragmented Measurement and Weak Benchmark Governance, studies 195 AI safety benchmarks released between 2018 and 2026 and argues that the field’s main problem is no longer benchmark scarcity. It is benchmark fragmentation: many artifacts, many labels, many scores, and not enough shared measurement language.1
This is not a paper about one new benchmark defeating all previous benchmarks in ceremonial leaderboard combat. Blessedly. It is a catalogue and meta-evaluation paper. Its value is diagnostic: it tells us what the safety-benchmarking ecosystem now looks like when the unit of analysis is not only the benchmark, but also the metric hiding inside the benchmark.
The business implication is uncomfortable but useful. If your AI governance process still asks, “Which safety benchmark did the model pass?”, it is asking an incomplete question. The better question is: “What exactly did the benchmark measure, who judged it, how was it aggregated, is it maintained, and does it match the risk we actually face?”
That is less elegant than a single score. It is also less likely to embarrass you later.
The evidence starts with abundance, not clarity
AISafetyBenchExplorer reports a corpus of 195 AI safety benchmarks. On the surface, this looks like progress. A young field moved quickly. Researchers built tests for toxicity, bias, jailbreak resistance, refusal behavior, rule following, reasoning traces, hidden behavior, medical safety, agentic tasks, and more. The market asked for safety evidence; the research community produced a lot of it.
But the catalogue’s high-level numbers point in a different direction.
| Signal from AISafetyBenchExplorer | Reported value | Why it matters |
|---|---|---|
| Total AI safety benchmarks | 195 | The field is no longer small enough to navigate informally. |
| Publication span | 2018–2026 | Safety benchmarking has become a fast-moving ecosystem, not a handful of canonical tests. |
| Peak publication year | 2023, with 57 benchmarks | Benchmark creation surged during the post-LLM safety rush. |
| Complexity distribution | 7 Popular, 68 High, 94 Medium, 26 Low | Many usable resources exist, but only a tiny subset has broad reference status. |
| English-only benchmarks | 165 / 195 | Safety evidence is heavily concentrated in English-language evaluation. |
| Evaluation-only resources | 170 / 195 | Most resources test models; fewer provide training, mitigation, or operational tooling. |
| Stale GitHub repositories | 137 / 195 | Many benchmark artifacts appear weakly maintained. |
| Stale Hugging Face datasets | 96 / 195 | Dataset persistence and update discipline are uneven. |
The first lesson is quantitative: benchmark abundance has arrived. The second lesson is organizational: abundance did not automatically create governance.
A mature evaluation ecosystem needs more than many tests. It needs common definitions, stable maintenance, transparent scoring, coverage discipline, and some agreement about when two results are genuinely comparable. AISafetyBenchExplorer suggests that AI safety benchmarking has grown faster than those supporting institutions.
That matters because benchmark users rarely read every methodological appendix. They see names, scores, and rankings. A vendor says its model improved on safety. A product team asks whether deployment risk is acceptable. A compliance team wants evidence. A board wants a short answer. The benchmark result becomes a shortcut.
The paper’s warning is that the shortcut may be structurally unsafe.
The field has many benchmarks, but few common anchors
AISafetyBenchExplorer uses a four-tier complexity taxonomy: Popular, High, Medium, and Low. The labels are not merely about difficulty in the casual sense. They combine signals such as community-standard status, citation traction, adversarial design, reasoning demand, subjectivity, domain criticality, and evaluation complexity.
The distribution is telling: 94 benchmarks fall into the Medium tier, 68 into High, 26 into Low, and only 7 into Popular.
That pattern says something specific. The field has a large middle: many benchmarks that may be useful, specialized, and technically legitimate, but not yet stable reference points. The Popular tier is tiny. In other words, AI safety evaluation has generated many instruments, but only a few common measuring rods.
For research, that can be productive. Specialized benchmarks allow researchers to probe narrow failure modes. For business deployment, it creates a selection problem. If a company wants to evaluate a customer-service agent, a medical assistant, a financial research workflow, or an internal coding tool, there is no simple universal answer to “the” safety benchmark. There is only a portfolio design problem.
That distinction is important. A portfolio is not a pile.
A pile says, “We ran many benchmarks.” A portfolio says, “These benchmarks cover distinct risks, use interpretable metrics, avoid redundant failure modes, and are maintained well enough to support decisions.” The second version requires governance. The first version mainly requires enthusiasm and spreadsheet stamina.
Metric names travel faster than metric meanings
The paper’s strongest contribution is the metric-level catalogue. AISafetyBenchExplorer does not stop at recording benchmark names and metadata. It also records metric names, conceptual descriptions, methodological details, mathematical definitions where available, deviations from standard definitions, and notes on benchmark-specific usage.
That extra layer matters because the same metric label can hide different evaluands, judges, aggregation rules, and threat models.
Consider “accuracy.” In ordinary statistical language, accuracy sounds stable: correct predictions divided by total predictions. But in the catalogue, accuracy can refer to moderation-label classification, short-form factual answering, explicit rule compliance, or policy-schema classification. The arithmetic shell may look familiar. The object being measured is not.
The same problem appears across several metric families.
| Metric family | Surface meaning | What can drift underneath | Business risk |
|---|---|---|---|
| Accuracy | Correct over total | Target task, unit of analysis, ground truth source | False comparability across vendors or model versions. |
| F1 | Precision–recall balance | Positive class, class cardinality, claim level vs category level | A model can look better while solving a different detection problem. |
| Safety score | One safety-facing scalar | Non-leakage, personalized safety, medical safety, weighted composites | “Safer” may mean safer under a different definition. |
| Refusal / compliance | Behavioral conformity | Refusing harmful prompts, avoiding over-refusal, abstaining under uncertainty, following domain ethics | The metric may reward opposite behaviors depending on context. |
| Attack success rate | Adversarial vulnerability | Raw jailbreak frequency, deduplicated strategy success, severity scoring, defense reduction | Security claims may be directionally right but operationally mismatched. |
| Composite score | Single aggregate | Equal weighting, domain weighting, inverse-difficulty weighting, lexicographic rules, integrity gating | One number can conceal value judgments and hidden thresholds. |
This is the heart of the paper’s diagnosis. The problem is not that researchers are careless because they reuse words. It is that evaluation language is doing too much work. A metric label that once named a statistical procedure now often functions as a loose container for benchmark-specific assumptions.
For business readers, the correction is simple but consequential: metric names should be treated as labels, not guarantees.
A safety score is not meaningful until you know the safety event. An F1 score is not meaningful until you know the positive class and the unit of analysis. A refusal rate is not meaningful until you know whether refusal is desirable in the sampled prompts. A composite score is not meaningful until you know what was compressed and how.
This sounds pedantic. It is not. It is the difference between evidence and decorative numeracy.
The paper’s examples show why metric design changes the conclusion
AISafetyBenchExplorer uses selected benchmark examples to make the metric-collision problem concrete. These examples are not all serving the same role. Some demonstrate why marginal scores can be misleading. Some expose risks missed by output-only evaluation. Some show why evaluators and agents need to be treated as part of the benchmarked system.
| Example discussed in the paper | Likely purpose in the argument | What it supports | What it does not prove |
|---|---|---|---|
| NESSiE | Main illustration of joint compliance | Safety and helpfulness can look acceptable separately while failing as a combined policy requirement. | It does not prove all safety benchmarks need the same joint metric. |
| CoT-Control | Extension to reasoning-channel risk | Final-answer evaluation can miss whether reasoning traces are controlled or manipulated. | It does not show that all deployed models currently have strong hidden-reasoning control. |
| AuditBench | Governance example for audit reliability | Auditing tools themselves need empirical evaluation rather than assumed authority. | It does not certify one universal auditing stack. |
| PostTrainBench | Agentic evaluation and anti-gaming example | In agentic settings, cheating prevention becomes part of benchmark design. | It does not mean every enterprise benchmark needs full agentic anti-cheat infrastructure. |
| Metric-collision appendix | Robustness-style support for the taxonomy of collisions | The collision pattern recurs across several metric families, not only one convenient example. | It is still a compact qualitative audit, not a fully programmatic count across every metric row. |
NESSiE is the cleanest example. It distinguishes Safe Score, Helpful Score, and Safe–Helpful Score. The point is not just that there are three numbers. The point is that joint compliance is harder than marginal compliance. A model that always refuses may appear safe. A model that always answers may appear helpful. Neither behavior is the desired policy.
The Safe–Helpful metric changes the success event. It asks whether the model can withhold forbidden information while providing authorized information in the complementary case. That blocks the two lazy strategies: blanket refusal and reckless answering. A single marginal metric can miss that distinction.
CoT-Control pushes the problem into reasoning traces. Output-level evaluation asks whether the final answer behaves properly. Reasoning-channel evaluation asks whether the model can control, conceal, or manipulate chain-of-thought disclosures. Even if present models are limited in this capability, the methodological point is durable: final-answer benchmarks can under-measure risks in systems where reasoning traces, tool calls, or hidden intermediate steps matter.
AuditBench makes a related move. It treats alignment auditing as something to benchmark, not as a magical external oracle. That is useful because audit quality depends on the investigator agent, the target model, the tools, and the deployment setup. A weak audit can produce comforting failure-to-detect results. Very convenient. Also useless.
PostTrainBench adds the agentic twist. If agents can train on test data, download existing tuned checkpoints, or misuse discovered API keys, then evaluator integrity is not an administrative detail. It is part of the measurement design. Once the subject being evaluated can strategically interact with the evaluation environment, anti-gaming infrastructure becomes part of the benchmark itself.
These examples point to one broader lesson: safety metrics are not passive thermometers. They define the success event. Change the success event, and you may change the scientific and operational conclusion.
The appendix is not a second thesis; it is support for the collision diagnosis
The paper’s extended metric-collision audit is worth reading carefully because it clarifies the status of the evidence.
It is not a full automated census of every repeated label and every divergent operationalization in the metrics sheet. The author says directly that a fully programmatic count would strengthen the claim. That limitation matters.
But the appendix still does useful work. It broadens the collision analysis beyond the main examples and classifies recurring families such as accuracy, F1, safety score, refusal/compliance, attack success, robustness, composite scores, harmfulness/toxicity, bias score, recall/detection, pass rate, controllability, audit bundles, and joint compliance. Severity ratings indicate how misleading name-only comparison would be across benchmarks.
Two collision modes recur.
First, cross-benchmark collision: the same label is reused for different evaluands, judges, or aggregation rules. This is the obvious comparability problem. Two reports both say “F1,” but one is about moderation classes, another about claim-level factual support, and another about reasoning-faithfulness labels.
Second, within-benchmark branching: several differently named metrics are generated from the same underlying pipeline by decomposition, conditioning, or gating. This is subtler. A benchmark may appear to offer diverse measurements, when several headline values are mostly different views of the same evaluation machinery.
Both failure modes matter for portfolio design. Cross-benchmark collision makes naive comparisons dangerous. Within-benchmark branching can create the illusion of coverage. A dashboard with six numbers is not necessarily six independent pieces of evidence. Sometimes it is one pipeline wearing six hats. Fashionable, perhaps. Statistically less impressive.
Governance failure shows up as maintenance, language concentration, and grey literature
The paper’s governance argument is not abstract. It shows up in the catalogue fields.
AISafetyBenchExplorer reports 137 stale GitHub repositories and 96 stale Hugging Face datasets. It reports 165 English-only benchmarks out of 195. It reports that benchmark publication surged in 2023, declined in 2024, dropped more sharply in 2025, and treats 2026 as provisional because the year is incomplete. It also identifies arXiv preprints as the largest known publication venue category and notes heavy reliance on preprint circulation.
These signals do not mean the benchmarks are worthless. That would be too easy and mostly wrong.
They mean benchmark quality has an infrastructure layer. A benchmark is not only a task description and a dataset. It is a maintenance promise, a documentation practice, a scoring procedure, a language-coverage decision, a repository state, and a claim about what counts as evidence.
For businesses, this reframes due diligence.
A benchmark that is stale may still be useful for historical comparison, but weaker for current deployment decisions. An English-only benchmark may be fine for an English-only internal tool, but weak evidence for multilingual customer support. A preprint benchmark may be useful early evidence, but should not be treated as mature consensus. A benchmark with unclear aggregation may be acceptable for exploration, but not for procurement scoring.
The boring metadata is not boring. It is where hidden evaluation risk lives.
What companies should change in AI evaluation practice
The paper does not provide a vendor-selection recipe. It does not say, “Use benchmark X and ignore benchmark Y.” That is not its contribution.
Its contribution is to make the evaluation governance problem legible. From that, Cognaptus can infer a practical checklist for teams buying, deploying, or auditing AI systems.
| Governance question | What the paper directly supports | Practical business use | Boundary |
|---|---|---|---|
| What does the metric mean? | Familiar labels often hide different operational definitions. | Require metric cards explaining evaluand, judge, unit of analysis, aggregation, and success criteria. | The paper does not standardize every metric; it argues for recording semantics. |
| Is the benchmark maintained? | Many GitHub repositories and datasets are reported as stale. | Treat maintenance status as part of evidence quality. | “Stale” does not automatically mean invalid; it changes confidence and use case. |
| Does the suite cover the deployment context? | English-only and evaluation-only resources dominate the catalogue. | Audit language, domain, modality, and risk coverage before accepting results. | Coverage requirements differ by product and jurisdiction. |
| Are several metrics independent? | Within-benchmark branching can create apparent diversity from one pipeline. | Avoid counting sibling metrics as separate evidence without checking dependency. | Related metrics can still be useful diagnostics. |
| Can the evaluated system game the test? | Agentic benchmarks show evaluator integrity can become part of the task. | Add anti-gaming controls for tool-using agents, coding agents, and autonomous workflows. | Not every simple chatbot benchmark needs agentic anti-cheat design. |
| Is the benchmark portfolio balanced? | The corpus is fragmented across complexity, language, maintenance, and metric semantics. | Build benchmark portfolios around risk coverage, not benchmark quantity. | Portfolio design remains judgment-heavy and domain-specific. |
The operational shift is from benchmark acceptance to benchmark inspection.
A procurement team should not accept “we passed safety benchmarks” as a complete answer. It should ask for the metric definition, the judge type, the aggregation rule, the language scope, the repository state, the dataset state, and the failure modes covered. A model-risk team should not compare two safety scores until it verifies that the scores refer to comparable events. A product team should not treat over-refusal and harmful compliance as one generic “safety” axis.
This is annoying work. That is precisely why it belongs in governance rather than ad hoc model testing.
A simple benchmark-governance checklist
For business use, the paper’s message can be turned into a compact review procedure.
Before using a benchmark result in a deployment, procurement, or compliance decision, ask:
- Evaluand: What behavior, risk, or capability is actually being measured?
- Unit of analysis: Is the score computed per prompt, response, claim, conversation, task, trajectory, or agent run?
- Judge type: Is the label produced by humans, heuristics, model judges, classifiers, exact matching, or expert review?
- Aggregation rule: Are results averaged, weighted, gated, lexicographically ranked, or compressed into a composite score?
- Success event: Does the metric reward refusal, compliance, calibrated abstention, truthfulness, helpfulness, robustness, or some conjunction of these?
- Coverage: Does the benchmark match the deployment language, domain, modality, and failure mode?
- Maintenance: Are the repository, dataset, documentation, and scoring scripts alive enough for current use?
- Independence: Are multiple reported metrics independent signals, or siblings from the same pipeline?
- Gaming resistance: Could a tool-using or agentic system exploit the evaluation setup?
- Decision role: Is the benchmark being used for exploration, vendor comparison, deployment gating, monitoring, or audit evidence?
The last question is the one many teams skip. A benchmark that is acceptable for exploration may be too weak for deployment gating. A metric that is useful for diagnosing one failure mode may be misleading as a vendor ranking. Evidence is not context-free. It has a job.
What remains uncertain
AISafetyBenchExplorer is best read as a catalogue-backed diagnosis, not as a final measurement standard.
The paper itself states two important limitations. First, the complexity methodology report covers an earlier 176-benchmark audit, while the updated workbook reports the 195-benchmark empirical snapshot. Future versions should rerun the formal complexity analysis over the full updated corpus. Second, the metric-collision argument is strong qualitatively, but a fully programmatic count of repeated metric labels and divergent operationalizations across the entire metrics sheet would make it stronger.
There are also practical uncertainties for business users.
The paper does not decide which benchmarks should be used for a specific industry. It does not provide a universal weighting scheme for benchmark portfolios. It does not solve the problem of model-judge reliability. It does not convert safety into one clean enterprise KPI, because that would contradict the paper’s own warning.
Its value is upstream of those decisions. It tells organizations not to confuse benchmark volume with evidence quality, and not to confuse metric familiarity with metric comparability.
That is enough to change practice.
The real failure mode is benchmark theater
The AI safety field has built a large evaluation ecosystem. That is good. It is better than having no tests, no datasets, no adversarial probes, and no shared artifacts.
But the next problem is already visible. Once benchmarks become abundant, they become easy to misuse. A company can collect scores without understanding definitions. A vendor can cite familiar metric names without exposing aggregation logic. A governance team can build a dashboard that looks rigorous while mixing incompatible measurements. Everyone gets a number. Nobody gets clarity.
AISafetyBenchExplorer’s quiet contribution is to make that theater harder to sustain.
It shows that AI safety evaluation now needs the unglamorous machinery of mature measurement: metric registries, coverage audits, maintenance norms, benchmark stewardship, and portfolio discipline. The field does not merely need more benchmarks. It needs better benchmark governance.
The next time a model is described as “safe,” the right response is not immediate skepticism. It is a structured follow-up:
Safe by which benchmark, under which metric definition, judged by whom, aggregated how, maintained by whom, and relevant to which deployment risk?
Not as catchy as a leaderboard. Much more useful.
Cognaptus: Automate the Present, Incubate the Future.
-
Abiodun A. Solanke, “AISafetyBenchExplorer: A Metric-Aware Catalogue of AI Safety Benchmarks Reveals Fragmented Measurement and Weak Benchmark Governance,” arXiv:2604.12875, 2026. https://arxiv.org/abs/2604.12875 ↩︎