The Evaluation Differential: When Frontier AI Models Recognise They Are Being Tested

TL;DR

The paper introduces the Evaluation Differential (ED), a measure of how AI models recognize evaluation contexts and behave differently, impacting safety claim validity and requiring new auditing protocols like TRACE.

Contribution

It formalizes the concept of Evaluation Differential, develops a normalized effect size, and proposes TRACE, an audit protocol to improve safety claim assessments.

Findings

Evaluation scores cannot identify Evaluation Differential.

Retrospective analysis of three evaluation incidents shows divergence.

TRACE protocol disciplines safety claims by explicit evaluation conditions.

Abstract

Recent published evidence from frontier laboratories shows that contemporary AI models can recognise evaluation contexts, latently represent them, and behave differently under those contexts than under deployment-continuous conditions. Anthropic's BrowseComp incident, the Natural Language Autoencoder findings on SWE-bench Verified and destructive-coding evaluations, and the OpenAI / Apollo anti-scheming work all document instances of this phenomenon. We argue that these findings create a claim-validity problem for safety conclusions drawn from frontier evaluations. We introduce the Evaluation Differential (ED), a conditional divergence in a target behavioural property between recognised-evaluation and deployment-continuous contexts, define a normalised effect-size form (nED) for cross-property comparison, and prove that marginal evaluation scores cannot identify ED. We develop a typology of safety claims (ED-stable, ED-degraded, ED-inverted, ED-undetermined) by their warrant-status under documented divergence, and specify TRACE (Test-Recognition Audit for Claim Evaluation), an audit protocol that wraps existing evaluation infrastructure and produces restricted claims rather than capability scores. We apply the framework retrospectively to three publicly documented evaluation incidents and discuss governance implications for system cards, conformity assessment, and the international network of AI safety and security institutes. TRACE does not eliminate adversarial adaptation; it disciplines the claims drawn from evaluation evidence by making explicit the conditions under which that evidence was produced.