AI Safety Evaluation & Governance Pipeline
Week 12 milestone
An enterprise mandate: a company is about to ship an AI feature and has no defensible answer to "is this safe and is it compliant?". Build and launch a product with two interlocking systems: a safety-evaluation pipeline that runs capability, propensity, honesty, and adversarial red-team batteries against a model and scores how it behaves; and a governance layer that turns those results into an audit-ready model card and a risk classification mapped to the NIST AI RMF and the EU AI Act. The deliverable is directly deployable and hyperscalable: real public hosting, CI/CD, a hyper-usable dashboard a safety or compliance lead reads at a glance, security, and full marketing (landing page, pitch, demo). Deliver something an organization can run before release, not after an incident. Ship it as a real product.
Why it matters: AI safety evaluation and governance is becoming a release gate, not an afterthought: the EU AI Act transparency rules apply from August 2026 and the NIST AI RMF is the de facto governance structure organizations adopt. A builder who can ship an evaluation-plus-governance pipeline is directly deployable as an AI Safety Engineer, an Evaluations Engineer, or an AI Governance specialist, scarce roles because they combine ML, security, and policy.
The deliverable
A publicly hosted product with a stable URL and a hyper-usable safety-and-governance dashboard, plus a public repo: the safety-evaluation pipeline with capability, propensity, honesty, and red-team batteries, the auto-generated model card and risk-classification layer, CI/CD on every commit, production observability, a marketing landing page, a 10-slide pitch, a recorded demo, and a README documenting the evaluation methodology, the governance mapping, and the scaling design.
What it ships
- A safety-evaluation runner with capability, propensity, honesty, and sycophancy batteries against a target model.
- An adversarial red-team suite covering jailbreaks, prompt injection, and indirect injection, with a continuously updated attack library.
- Structured, reproducible scoring so the same evaluation can be re-run and compared across model versions.
- An auto-generated, audit-ready model card capturing intended use, evaluation results, and limitations.
- A risk-classification layer that maps results to the NIST AI RMF Govern-Map-Measure-Manage functions and the EU AI Act risk tiers.
- A benchmark-overfitting check that runs novel held-out prompts alongside public benchmarks to expose inflated scores.
- A safety dashboard showing per-category results, risk status, and trend across evaluation runs.
- CI integration so a safety regression in a new model version fails the release gate.
- Exportable compliance reports suitable for an internal audit or external review.
- Role-based access so safety engineers, compliance leads, and reviewers see scoped views.
- Production observability and a secured, rate-limited evaluation API.
Stack you orchestrate
Inspect or an LLM eval frameworkan open-weight or API modela red-teaming libraryNode.js or PythonGitHub ActionsOpenTelemetryGoogle Cloud Run
Market signal, who wants thisAI governance and safety evaluation is a defined 2026 enterprise requirement: the EU AI Act transparency obligations take effect in August 2026, NIST released an AI RMF profile for critical infrastructure in April 2026, and enterprises are explicitly investing in audit-ready model cards, risk classification, and incident response. Research shows public benchmark scores can hide real-world failure, making independent evaluation valuable. Investors and enterprises fund safety-and-governance tooling because shipping AI into regulated industries without it is now a legal and reputational liability.
How it is graded
- A safety-evaluation pipeline runs capability, propensity, honesty, and adversarial red-team batteries against a target model and produces structured, reproducible scores.
- The red-team battery includes jailbreaks, prompt injection, and indirect injection, and the report shows which behaviors held and which failed.
- An auto-generated model card documents intended use, evaluation results, and limitations in an audit-ready format.
- A risk-classification layer maps the model and its results to the NIST AI RMF functions and the EU AI Act risk tiers, with the mapping justified.
- The platform is deployed to real public hosting with CI/CD on every commit, production observability, and a secured endpoint, and the evaluation path is hyperscalable under load.
- A fast, WCAG 2.2 AA accessible dashboard lets a safety or compliance lead read results and risk status at a glance.
- The project ships complete marketing — a landing page, a 10-slide pitch, and a recorded demo — and is publicly reachable and reproducible.
Bridges to Information Security — threat modeling, evaluation, audit, and compliance