The Most Important Word in Demis Hassabis’s AI Safety Plan Is “Eventually”
He wants a U.S. standards body to decide which frontier models can ship. The plan depends on independent tests. Those come later.
A safeguard can exist in the design and fail at the moment that matters.
I learned this through a small but consequential failure in a system I helped build. The approval logic existed. The workflow looked correct. The boundary was clear. Yet when the moment of execution arrived, the system crossed it anyway.
The rule had not disappeared. It simply lived at the wrong layer.
That distinction matters because governance often fails in exactly this way. The policy exists. The review exists. The institution has the right name, the right committees, and the right intentions. But the decisive action happens somewhere the safeguard cannot reach.
That was what I kept thinking about while reading Demis Hassabis’s proposal for a U.S.-led Frontier AI Standards Body. The risks he describes are far larger: cyber offense, biological misuse, deceptive agents, and systems that may become difficult to control. But the underlying lesson is the same. A safeguard is not real because it appears in a diagram. It is real only if it binds when it counts.
I build evaluation and verification systems for AI agents. That gives me a particular bias: I distrust a clean score until I understand the test, the context, and the path from result to action.
Disclosure: My work includes AI evaluation and verification. That gives me both a perspective and a stake in this argument; readers should know both.
Hassabis’s proposal deserves serious attention. He is not asking for another principles document. He wants an institution with money, technical talent, access to unreleased models, the authority to set capability benchmarks, and eventually the power to decide whether a frontier model can enter the U.S. market. His core instinct is right: frontier AI cannot be governed by model cards and voluntary promises alone.
But the most consequential word in the proposal is not “frontier,” “AGI,” or “slowdown.”
Eventually.
Hassabis’s word for when the Standards Body would develop held-out tests independent of the labs it regulates.
The core issue: The proposal can give a new body real power over model releases before that body has its own independent test-making capacity. In governance, sequence is not an implementation detail. Sequence is substance.
The prophecy is not the policy
Hassabis opens in the register of a civilizational manifesto. AGI may be only a few years away. The technology may resemble fire or electricity. Humanity may be standing at the edge of abundance. That language is designed to make the reader feel the scale of the moment, and perhaps he is right about the scale.
The actual proposal is far more prosaic, which is where it becomes consequential. He suggests a federally overseen public-private or self-regulatory body modeled on FINRA. Industry would provide much of the funding. A board would include independent technical experts and open-source representatives. Benchmarks would determine which systems count as “Frontier-class.” Labs would initially submit models for review as much as 30 days before release. After the process proved itself, passing could become a condition for deployment in the United States.
The poetry is about civilization. The machinery is about market access.
That is not an argument against the proposal. Serious institutions are supposed to be made of procedures, budgets, evidence standards, and appeal rights. The problem is that those boring choices decide who gets power long after the grand language has disappeared from view.
The referee learns the first rules from the teams
Hassabis recognizes the central technical danger. Public benchmarks saturate. Models can be trained on related tasks. Test leakage and overfitting can turn a safety score into a performance. His answer is to update evaluations frequently and build independent held-out tests.
Then comes the sequence: the early evaluations would be developed in consultation with Frontier Labs. The Standards Body would build its own tests “eventually,” so they are “independent of the Labs to prevent overfitting.”
Consultation is not inherently corrupt. The labs have expertise, infrastructure, security practices, and access to the systems being measured. A regulator that refuses to learn from them would become technically obsolete almost immediately.
But the first benchmarks do more than measure. They define the regulated category. They decide which risks count, how much evidence is enough, what information a lab must disclose, what review costs, and which model can cross the market gate. Early definitions become software, hiring plans, procurement contracts, and precedent. They are hard to unwind.
In governance, sequencing is substance.
This is also not a stray idea from one scientist. In June, Google published a white paper proposing a federally overseen Frontier AI Regulatory Organization, or FARO. It likewise imagines an industry-backed institution, a board combining independent and industry representatives, capability benchmarks, audits, and government oversight. The paper says such a body should complement programs that give U.S. national-security agencies early access to certain advanced cyber models.
The institutional family resemblance matters. It does not prove bad faith. It shows that a major frontier lab and its parent company are actively shaping the architecture of the regime that could govern their market.
FINRA is not a foolish analogy. It is funded by member fees, includes both public and industry governors, and operates under SEC supervision. Its rules are reviewed, its finances are public, and its oversight sits inside a mature legal structure. That last part is easy to omit. Copying the funding shape without copying the accountability stack would not reproduce FINRA. It would reproduce its most capture-prone feature.
“Eventually the Standards Body should build up the technical capacity to create its own held-out tests independent of the Labs to prevent overfitting.”

The test is not the thing
A benchmark is a compressed question. It asks: can the model solve this task, under these instructions, with this scaffolding, on this dataset, scored in this way? Policy is tempted to turn the answer into a larger claim: is this system safe enough to release?
Those are not the same question.
NIST’s ARIA program makes the distinction plainly. Conventional benchmark datasets are often static, retrospective, and focused on model performance in isolation. They are valuable during development, but they do not capture the full operational setting: the human-AI configuration, secondary data use, security incidents, tools, permissions, or the noisy conditions in which harm actually occurs. NIST also warns that data and task contamination can inflate benchmark performance.
The failure I described at the beginning lived in precisely that gap. The relevant question was not whether the model could classify an instruction in isolation. It was whether the complete system, with memory, workflow state, approval logic, and permissions, would preserve the human’s intent at the point of action.
A recent government evaluation provides a clean example of how benchmark choice changes the story. DeepSeek’s own reported results made DeepSeek V4 Pro look roughly comparable to U.S. models released about two months earlier. CAISI’s broader suite, including non-public and held-out tasks, placed it closer to a U.S. model released about eight months earlier.
No misconduct is required for that divergence. The same model, evaluated through two different windows, produced two different accounts of where it stood.

Secret held-out tests are necessary because they reduce direct teaching to the test. They are not sufficient. They do not automatically solve underspecification, system-level behavior, strategic sandbagging, deployment drift, or the fact that the evaluator must choose which risks deserve a threshold in the first place.
The rule can be equal while the burden is not
Hassabis explicitly says the framework should apply to frontier systems whether they are open or closed, and regardless of country of origin. He also exempts non-frontier models from startups and academia. That is more careful than saying open source should simply be banned.
The asymmetry appears in practice. A proprietary lab can absorb a 30-day review as another launch workstream. It already has security staff, model-access controls, lawyers, dedicated evaluation teams, and the ability to delay a release without making the weights public.
An open-weight project that crosses the frontier threshold faces the same formal rule with a different cost structure. It must coordinate secure pre-release access, remediation, legal obligations, and a one-way public release. A research consortium may be able to do that. The fixed cost will still land differently.
The rule may be identical for everyone. The burden will not be.
A threshold also creates a cliff. Below it, a model is outside the special regime. Above it, the model may face pre-release review and a market-access decision. That invites pressure around the line: optimize just below it, argue about the metric, change the system after evaluation, or relocate the release.
The United States can exert enormous leverage over companies that want access to its market and infrastructure. It cannot make every sovereign actor submit. Hassabis hopes a U.S. framework would inspire international consensus. That is a worthwhile ambition. It is not an enforcement mechanism.
National security will not stay at the edge
The proposal places federal agencies and U.S. National Laboratories inside the testing system for national-security domains. Google’s related FARO paper goes further, describing a regulator that would complement programs giving national-security agencies early access to certain advanced cyber models.
This is not theoretical convergence. In July 2025, the Defense Department’s Chief Digital and Artificial Intelligence Office announced contract awards to Anthropic, Google, OpenAI, and xAI, each with a ceiling of $200 million, to develop agentic AI workflows across national-security mission areas.
Public record, July 2025: Anthropic, Google, OpenAI, and xAI each received a DoD contract vehicle with a ceiling of $200 million. A ceiling is not proof of control, capture, or classified access. It is evidence that the state already treats frontier labs as strategic partners.
Those contracts do not mean the Pentagon controls the labs, and they do not prove that the most capable models will be classified. They show something less dramatic and more important: commercial frontier AI and national strategy are already intertwined.
Once a capability is treated as a strategic asset, universal public release stops being the default assumption. Access may be tiered, monitored, restricted, or reserved for particular users. Some of that may be justified. But the institution is no longer only a product-safety referee. It also becomes part of the machinery that allocates access to strategic technology.
Other governments will face the same incentive. At the high end, the coordination problem begins to resemble arms control more than ordinary standards harmonization. A domestic market gate may reduce some risks. It cannot by itself stop a determined foreign state, a well-funded private actor, or a model that is copied and modified after release.
The strongest case for Hassabis
The best argument for the proposal is stronger than its critics sometimes allow.
Frontier labs do have the deepest technical knowledge. Government hiring and procurement are slow. High-quality evaluations require secure access, scarce talent, expensive compute, and domain experts in cyber and biology. A standards body could create common protocols, force incident reporting, build secure information-sharing channels, and give evaluation results consequences.
Google DeepMind’s own Frontier Safety Framework is not a decorative pledge. It uses capability thresholds, pre-launch safety-case reviews, and broader assessments that combine model capabilities with explicit judgments about risk acceptability. Hassabis also names overfitting, saturated benchmarks, third-party auditors, and the need for independent held-out tests. He understands the technical problem.
The issue is not whether labs should be consulted. They should. The issue is whether the institution can become a mandatory gate before its independence is operational.
Once the first thresholds create regulated members, budgets, vendors, launch calendars, and precedent, “eventually” becomes harder to reach. Temporary architecture has a way of becoming permanent infrastructure.
Start where the proposal says we will end
We need something. A world in which each lab writes its own safety framework, chooses its own tests, announces its own passing score, and releases on its own timetable is not serious governance.
But a credible standards body should earn the power to gate the market. It should not receive that power on the promise that independence will be added later.
Build independent test capacity before the first mandatory decision. Labs can advise, supply secure access, and challenge test validity. They should not be the only source of the evaluation instrument. Use multiple sealed test providers, rotating task banks, and pre-committed protocols.
Fund the body through a firewall. Member levies can pay for scarce talent and compute, as they do in other self-regulatory systems. Budgets, procurement, evaluator compensation, and hiring should be separated from discretionary sponsorship by any single lab.
Evaluate systems, not only base models. The object being governed is a deployed system: model, tools, memory, permissions, scaffolding, users, and monitoring. Pre-release tests should be paired with post-deployment evidence and incident reporting.
Make the gate contestable. Publish the rationale for thresholds where security permits. Require conflict disclosures. Create an external appeal path, periodic review, and a way to retire tests that no longer measure the risk they claim to measure.
Prevent the compliance regime from becoming an incumbency tax. Provide subsidized secure testing, staged obligations, and narrow safe harbors for researchers and open projects. The first challenger to reach the frontier should not need a hyperscaler’s legal department to prove it is safe.
Separate civilian market access from national-security access. Early government access may be defensible, but its scope, legal authority, oversight, and relationship to public release should be explicit rather than hidden inside a general safety regime.

The failure I described at the beginning was not caused by the absence of a rule. The rule existed. The failure came from where the rule was placed and when it became binding.
The safeguard arrived before the action in the diagram, but after it in practice.
That is the risk here. We could create a standards body that looks independent, publishes serious research, consults respected scientists, and evaluates the most powerful models in the world. We could give it authority over market access and still postpone the capability that makes that authority legitimate: independent tests that the regulated labs did not help shape and cannot anticipate.
By then, the institution would already have procedures, dependencies, precedents, and constituencies. Independence would not be the foundation. It would be a future upgrade.
Hassabis is right about urgency. He may also be right that AGI is close. Those are arguments for building the hard institution first, not for installing the market gate and promising that the independent test arrives later.
We need a referee. Independence cannot be a future feature.
Sources
Demis Hassabis, “A Framework for Frontier AI and the Dawning of a New Age,” July 14, 2026.
Google, “A Pragmatic Approach to AI Governance in America,” June 2026.
NIST Center for AI Standards and Innovation, “CAISI Evaluation of DeepSeek V4 Pro,” May 1, 2026.
Google DeepMind, “Strengthening our Frontier Safety Framework,” updated April 17, 2026.
FINRA, “About FINRA,” “FINRA Board of Governors,” and “How FINRA Serves Investors and Members.”



