Skip to main content
sociable systems.
Public teardown · Always/Never Audit

The gold standard, audited

Anthropic, OpenAI, and Google DeepMind have each published a document meant to reassure the rest of us that the frontier is in careful hands. We ran all three through the Always/Never Audit, reading them the way a procurement team, a regulator, or a motivated executive does. The machinery is genuinely impressive. The open question is who is allowed to switch it off.

Audit summary. All three frameworks score strong on technical architecture. Stop-condition power is moderate for DeepMind, strongest but overridable for OpenAI, and conditional for Anthropic. On transparency Anthropic is fullest, OpenAI moderate, DeepMind limited. On public accountability all three are weak, because none lets an outside party force a halt.
The audit at a glance. The scale, the four dimensions, and the reasoning behind every grade are set out below in how the grades are reached.
The two reads

There are two ways to read a governance document, and the labs are counting on the first one.

You can read for intent, which is how these documents are written to be read: the vocabulary of responsibility, the safety cases, the thresholds, the reassuring sense that the adults are in the room. Or you can read for enforcement, which is what the hardest audiences actually do. A liability insurer does not care what a lab intends. It cares what the lab is structurally forced to do once intent becomes expensive.

Read for intent, all three frameworks reassure. Read for enforcement, the same shape surfaces in each of them: sophisticated machinery for detecting when to stop, wired to a switch that only the people with the most to lose from stopping are allowed to reach.

Six hostile readers at one table

The audit seats six adversarial readers around a single document. The cynic hunts for the escape hatch. The counsel strips out every intends to and aims to and asks what remains that a court could hold. The buyer asks what the pledge is worth when the model fails and the loss lands on them. The skeptic asks who grades the safety case, and whether that grader is paid by the graded. The labour advocate looks for where an engineer with a conscience is meant to go. The clinician asks whether the alarm halts anything or merely rings. Where the seats converge on the same clause, the flaw is structural rather than a matter of taste.

You can watch the council take a single promise apart, in about fifteen seconds, on the audit page.

The teardowns

Three frameworks, read as written

Each is quoted directly and read only as written. What follows is where the architecture gives way under its hardest audience.

Competitor-contingentAnthropic · Responsible Scaling Policy 3.1

The floor that lowers itself

Anthropic is the most candid of the three, and candour has a way of showing you exactly where the floor gives out. Its commitment not to train or deploy a model until it has adequate safeguards in place is real, right up until a competitor makes keeping it expensive. At that point the same document that promised restraint supplies the reasoning for setting it aside: if another developer will run the risk regardless, Anthropic’s own marginal contribution to the danger is small, so it may proceed. The policy says as much itself, that it “cannot unilaterally and unconditionally commit” to holding the line while the rest of the industry moves.

It is the most honest of the frameworks precisely because it writes the escape clause down. The adult in the room reserves the right to stop being the adult the moment the room turns competitive.

Executive overrideOpenAI · Preparedness Framework v2

The stop sign with a bypass

OpenAI has the sharpest brakes on the lot. Its framework names concrete capability thresholds and, alone among the three, commits in places to halt development until safeguards reach a critical standard. Read the governance detail, though, and the Safety Advisory Group meant to pull that brake turns out to be advisory in the strict sense. Leadership can take its recommendation, reject it, or proceed without it, and the document is careful to record that the group cannot, in its own word, “filibuster.”

So the clearest stop sign in the industry arrives fitted from the factory with an executive bypass. The authority to override the alarm sits with the office holding the launch calendar, which is the one place you would least want to keep it.

Undefined authorityGoogle DeepMind · Frontier Safety Framework 3.1

The alarm nobody has to answer

DeepMind pairs the most sophisticated triggers with the vaguest hands on the controls. External deployment waits until, in the framework’s own words, “the appropriate governance function determines the residual risk to be acceptable.” That function is never named, never given a test for independence, and the document’s single paragraph on governance describes the whole structure as internal. The trigger is precise; the body that decides whether to act on it is a shape with no edges.

And the decision leans, in writing, on what the competition is doing: risk counts as acceptable partly, in the framework’s own wording, “if other models are similarly capable and have few mitigations, then the marginal risk added by our external deployment is likely low.” Security levels are recommended, not required. The alarm is beautifully engineered. Who is obliged to answer it, and whether they answer to anyone outside the building, the document declines to say.

Methodology

How the grades are reached

The matrix scores four dimensions on a three-point scale: strong, partial, weak. Two of the four are kept deliberately apart. Transparency is what a framework discloses; accountability is whether anyone outside the company can make it stop. A lab can lead on the first and fail the second, and one does: Anthropic discloses the most, and no framework, Anthropic included, hands an outside party the power to force a halt.

Technical architecture
Does the framework define concrete capability levels, and the evaluations to detect when a model crosses them?
Stop-condition power
When the alarm sounds, is there a real, non-discretionary obligation to stop, or a reviewable judgment call?
Transparency and disclosure
Can an outside reader see the thresholds, the results, and who decides?
Public accountability
Can anyone outside the company force a halt over its objection?
The evidenceThe criteria behind each gradeEvery cell, in the framework's own words.
Technical architecture

DeepMind FSF 3.1 · Strong Built around Critical Capability Levels across misuse and deceptive-alignment categories, each mapped to a mitigation and an “alert threshold” review trigger. The framework is, in its own words, “built primarily around capability thresholds.” The machinery to detect danger is real and defined.

OpenAI Preparedness v2 · Strong Defines tracked categories with High and Critical thresholds and concrete harm definitions, backed by evaluations and a capability scorecard. Severe harm is quantified: “the death or grave injury of thousands of people or hundreds of billions of dollars of economic damage.”

Anthropic RSP 3.1 · Strong Capability thresholds tied to AI Safety Level standards, with required safeguards that must be in place before training or deploying past a threshold. The gating machinery is specified.

Stop-condition power

DeepMind FSF 3.1 · Moderate A gate exists, but it is discretionary. Deployment proceeds once “the appropriate governance function determines the residual risk to be acceptable,” and security levels are “recommended,” not required. A review, not a hard stop.

OpenAI Preparedness v2 · Strongest * The most explicit halt language in the set: for critical capabilities, “halt further development” until safeguards meet the standard. Graded strongest on language alone. The asterisk is that leadership can override it.

Anthropic RSP 3.1 · Conditional Commits not to train or deploy without adequate safeguards, then conditions it on the field: it “cannot unilaterally and unconditionally commit” to holding the line if others do not. Real until a competitor makes keeping it costly.

Transparency and disclosure

DeepMind FSF 3.1 · Limited Capability levels are described only qualitatively, the numeric alert thresholds are named but not published, and the deciding body is “the appropriate governance function,” never named, in a structure the document calls internal. Least disclosed of the three.

OpenAI Preparedness v2 · Moderate Publishes the framework, the categories, a quantified harm definition, and periodic capability scorecards, bounded by redactions and an unnamed advisory group.

Anthropic RSP 3.1 · Fullest The most detailed public framework of the three. It publishes its capability assessments and reasoning, names the Responsible Scaling Officer, Board, and Long-Term Benefit Trust, and commits to external expert input. Fullest disclosure, still bounded by confidentiality.

Public accountability

DeepMind FSF 3.1 · Weak Final authority is the unnamed, internal governance function. No independent body holds a binding veto, and no insulated route is specified for an engineer to raise an alarm.

OpenAI Preparedness v2 · Weak The Safety Advisory Group is advisory only. Leadership “can also make decisions without the SAG’s participation,” and the group “does not have the ability to ‘filibuster.’” No external veto.

Anthropic RSP 3.1 · Weak Despite the fullest disclosure, no outside party can force a halt. Final authority is the CEO and Board, and external review is conditional and non-binding. Transparency is high; enforceable outside accountability is not.

Grades read the documents as written, with every quote verified against the primary source. The full rubric is available as a downloadable spreadsheet.

The shared absence

None of them contains a never.

Set the three side by side and the same gap opens in all of them. Not one contains a hard never: a line the institution will not cross whatever the market does, enforceable by someone who does not draw the institution’s paycheque. There are thresholds, reviews, and advisory groups. There is no floor a committee cannot lower, and no switch a party without a launch calendar can reach.

Which means these are not safety pledges in the sense a reader assumes. They are risk-argument frameworks: documents built to explain, defensibly, why proceeding was reasonable, rather than to fix the point at which proceeding stops. The engineering is real. The governance is the part left conveniently to discretion.

What turns a promise into a covenant

The remedies are not mysterious, which is what makes their absence a decision rather than an oversight. A commitment becomes a covenant when someone outside the company can enforce it: an external body with binding authority to halt rather than advise, named in the text instead of gestured at, with a route that lets an engineer raise an alarm without passing it through the very people the alarm concerns. None of this sits beyond the reach of three of the best-resourced labs on earth. It simply is not what these particular documents were written to do.

Your document

The same read, turned on the document you cannot publish.

These three frameworks are public, which is the only reason this teardown can be. The Always/Never Audit is the same read applied to the document you would never post: your responsible-AI pledge, your vendor’s assurance language, the covenant you are about to sign or announce. The council finds; an accountable human reviewer signs the memo. You receive it in PDF and markdown within five working days.

Founder’s launch rate through 2026: $295 USD for one document, up to about ten pages.

A note on fairness

This reads three published documents as written, quotes them directly, and stops there. It is not a claim about anyone’s private conduct, and it is not legal advice. People inside all three labs have made versions of these criticisms themselves. The point is not that these companies are unusually careless. It is that the most respected governance documents in the industry still do not do the one thing their readers assume they do, and that yours deserves to be read at least as hard before it goes somewhere it cannot be recalled.

Read as published in July 2026: Anthropic’s Responsible Scaling Policy 3.1, OpenAI’s Preparedness Framework v2, and Google DeepMind’s Frontier Safety Framework 3.1. These documents are revised periodically; the findings describe them as they currently stand.