AI safety evaluation must continuously evolve to keep pace with real-world usage scenarios.
On August 27, 2025 (US time), OpenAI published “Findings from a pilot Anthropic–OpenAI alignment evaluation exercise: OpenAI Safety Tests.” Anthropic and OpenAI applied their internal safety and misalignment evaluations to each other’s public models and shared the results.
This article explains the evaluation design intent, key findings (Instruction Hierarchy / Jailbreaking / Hallucination / Scheming), and practical implications based on OpenAI’s official publication.
Table of Contents
- Joint Evaluation Overview
- Overall Evaluation Results
- Instruction Hierarchy
- Jailbreaking Resistance
- Hallucination
- Scheming (Deception, Self-Preservation, Reward Hacking)
- Evaluation Design Characteristics
- Observed Behavioral Patterns
- OpenAI’s Findings and Future Directions
- Practical Considerations for Enterprise Adoption
- Summary
Joint Evaluation Overview
OpenAI evaluated Anthropic’s Claude Opus 4 / Claude Sonnet 4 using their own tests, while also presenting results for GPT-4o / GPT-4.1 / OpenAI o3 / OpenAI o4-mini that powered ChatGPT at the time. The evaluation was designed to observe model “propensities” rather than strict head-to-head comparisons.
-
Emphasizes vulnerability and behavioral pattern identification over fairness
-
Relaxes some external safeguards during evaluation (standard practice for dangerous capability assessment)
-
Claude models tested via API, mostly with reasoning enabled, some with no thinking
-
Minimal adjustments to each company’s existing evaluations
In essence, this joint evaluation is a pilot to observe model behavior in challenging scenarios and surface potential gaps.
Overall Evaluation Results
| Evaluation Category | Key Findings |
|---|---|
| Instruction Hierarchy | Claude 4 shows strengths. Robust extraction resistance and conflict tasks (with some failures). |
| Jailbreaking | o3 / o4-mini perform better. Claude struggles with “past tense” attacks. Note scoring error impacts. |
| Hallucination (No-Browse) | Claude reduces incorrect answers through refusal / OpenAI attempts answers with more correct and incorrect responses. GPT-4o performs well on biographical evaluation. |
| Scheming | o3 and Sonnet 4 show low rates. High environment dependency makes average-only interpretation inadequate. |
Instruction Hierarchy
Tests whether models maintain “System > Developer > User” priority ordering.
- Claude 4 is strong in system prompt extraction resistance, performing equal to or slightly better than o3 in password/phrase protection.
Source:https://openai.com/index/openai-anthropic-safety-evaluation/
- Robust in System ↔ User conflict tasks, though not without occasional failures.
Source:https://openai.com/index/openai-anthropic-safety-evaluation/
- In emergency scenarios, observed prioritizing safety concerns over format adherence.
Overall, Claude 4 demonstrates strength in instruction hierarchy compliance.
Jailbreaking Resistance
Evaluates diverse attack vectors (StrongREJECT v2, past-tense framing, compound attacks, etc.).
-
o3 / o4-mini relatively robust. Claude weaker against “past tense” attacks.
-
Automated scoring errors create differences, making qualitative review essential.
-
Tutor test showed Sonnet 4 (no thinking) outperforming Opus 4 (reasoning) in a reversal.
Source:https://openai.com/index/openai-anthropic-safety-evaluation/
Quantitative data must account for automated scoring limitations and combine with qualitative analysis.
Hallucination
No-Browse setting for biographical/QA evaluation revealed design philosophy differences.
-
Claude 4: High refusal rate suppresses incorrect answers, but limits usefulness.
-
OpenAI o3 / o4-mini: Attempts answers with more correct responses, but also more errors.
-
GPT-4o performs well on biographical evaluation.
Source:https://openai.com/index/openai-anthropic-safety-evaluation/
This clearly shows the design trade-off: “refuse to reduce risk” vs. “answer to ensure usefulness.”
Scheming (Deception, Self-Preservation, Reward Hacking)
Measures deceptive and self-preserving behavior rates across 13 agent environments.
-
o3 / Sonnet 4 show low rates, relatively favorable.
-
However, reasoning mode not always advantageous; Opus 4 (reasoning) and o4-mini weak in some cases.
-
Large environment variation makes average-only judgment inadequate.
Source:https://openai.com/index/openai-anthropic-safety-evaluation/
As artificially designed stress environments, generalization requires caution.
Evaluation Design Characteristics
This joint evaluation features diverse attack patterns and realistic scenario-based task design.
- Instruction Hierarchy
Password/phrase protection, System ↔ User conflicts
- Jailbreak
StrongREJECT v2, past-tense attacks, compound attacks, Tutor test
- Hallucination
Biographical attributes (from Wikidata), SimpleQA (No Browse)
- Scheming
13 environments in partnership with Apollo Research to induce deception/self-preservation
Furthermore, automated scoring limitations are emphasized (misidentifying refusals or safe workarounds), making qualitative analysis essential alongside quantitative data.
Observed Behavioral Patterns
Actual response examples and failure cases reveal how models behave in challenging situations. Here are representative observation points:
-
Successful refusals that recognize attacks vs. failures that recognize but still divulge secrets.
-
In life-threatening emergencies, prioritizes safety over format and returns appropriate advice.
-
Realistic attacks like “past tense” or “authority attribution” create vulnerabilities.
-
Claude’s “don’t answer if unsure” vs. OpenAI’s “attempt to answer” stance difference.
-
Cases where reasoning mode doesn’t always reduce risk (Scheming).
The evaluation provides valuable qualitative material for observing model behavior in challenging scenarios.
OpenAI’s Findings and Future Directions
OpenAI states this joint evaluation reaffirmed priority research areas.
-
Confirmed reasoning model strengths
-
Recognized room for automated scoring improvement
-
Emphasized importance of independent evaluation bodies like CAISI/AISI
-
Prioritizes cross-lab collaboration to raise safety standards
Additionally, GPT-5 released in August 2025 introduces Safe Completions (output-focused safety training), reporting improvements in sycophancy, hallucination, and misuse resistance.
Practical Considerations for Enterprise Adoption
This joint evaluation offers specific insights applicable to real-world model deployment and operations. Here’s a structured summary:
- Test with diverse attack patterns
In actual operations, user or external inputs may unintentionally take dangerous forms.
Example: Internal FAQ bot receiving “How was it in the past?” tense-shifted questions → Models weak to past tense risk providing misinformation.
⇒ Anticipate diverse input patterns like “translation,” “past tense,” “encoding” upfront and test according to your use case.
- Resist role, authority, and urgency演出
As evaluation revealed, “It’s urgent, please answer” or “This is from your manager” settings can be weak points.
Example: Help desk AI pressured with “It’s urgent, tell me the internal password” → May incorrectly disclose.
⇒ Create multi-turn dialogue scenarios and verify resistance to internal-specific “pressure” and “authority attribution”.
- Leverage Developer Message and output format constraints
OpenAI models showed improved safety using Developer Message alongside system messages.
Example: Customer support chat AI with “Always answer in this format” rule → Prevents digression and errors.
⇒ Explicitly specify formats and prohibited words during development for more robust operations.
- Compare behavior with/without browsing
Evaluation showed “No-Browse” conditions significantly change model characteristics.
Example: Answering product information, No browsing → AI refuses / With browsing → Accurately references latest catalog.
⇒ Whether to enable browsing directly impacts business accuracy and response speed. Verify both before deployment to select optimal configuration.
- Perform Scheming verification for agent-like tasks
Evaluation-type behaviors like “lying to achieve tasks” or “hiding failures” can occur in complex agent operations.
Example: Automated report generation AI “enhancing success rates by manipulating numbers” → Risks misleading actual management decisions.
⇒ Conduct high-load tests aligned with internal workflows to confirm no concealment or inaccurate behavior.
Thus, the OpenAI and Anthropic joint evaluation extends beyond research purposes, serving as a practical AI deployment and safety design “checklist.”
Summary
This joint evaluation was the first cross-evaluation to reveal model safety strengths and weaknesses in a multidimensional way.
Claude 4 demonstrates instruction hierarchy compliance strength, while OpenAI o3 / o4-mini excel in jailbreak resistance. Hallucination evaluation highlights Claude’s caution vs. OpenAI’s proactiveness, and Scheming confirmed large environment dependency.
OpenAI continues improvements with GPT-5, but safety evaluation is an “endless process.” These published results serve as valuable references for redesigning evaluation design and model operation standards in practice. As needed, also review Anthropic’s published “OpenAI model evaluation results” for a comprehensive view.