Red teaming

Red teaming borrows from cybersecurity: a dedicated team (internal or contracted) plays attacker against a model, trying to elicit harmful outputs, jailbreaks, biased behavior, or capability misuse. The goal isn't to prove the model is "safe" — it's to surface failure modes early, quantify them, and patch the worst before public release. By 2026, red teaming is standard practice at every frontier lab. Anthropic, OpenAI, Google DeepMind, and Meta all publish red team findings in their model cards. A typical red team campaign runs hundreds to thousands of hours: probing for CBRN (chem/bio/rad/nuclear) uplift, election interference, child safety violations, autonomous replication risks, and jailbreak resistance. External red teams (METR, Apollo Research, government AISI labs) add independent evaluation. Red teaming has clear limits. It finds what the team thinks to look for; novel attack vectors invented after release still land. It's also expensive — frontier model red teams can cost millions of dollars per release. The trend is toward automated red teaming where one model generates adversarial prompts against another, scaling beyond human-only approaches. Treat published red team results as a lower bound on real-world failure rates, not an upper bound.