Quietly over the last few months, the US government has been running its most aggressive AI evaluation programme yet. Models from Google, Microsoft, OpenAI, Anthropic, and xAI have all been put through what officials call ‘pre-deployment stress testing’, a process where federal evaluators try to make these models fail in safety-relevant ways before they reach the public. This is happening at the AI Safety Institute, an arm of the National Institute of Standards and Technology, with quiet cooperation from the Department of Defense, the National Security Agency, and the Department of Energy.
The programme is not new in concept. Voluntary AI safety testing has been part of US policy since the Biden administration’s executive order on AI in 2023. What’s new in 2026 is the scope, the depth, and the willingness of the largest AI labs to submit their unreleased models for federal review. This level of cooperation between the government and the AI industry is unprecedented, and it’s worth understanding what’s happening and why.
Here’s what stress testing actually involves, which models are being tested, what the testers are looking for, and why this matters for everyone using AI tools today.
What Stress Testing Actually Means
Stress testing in AI safety is the process of trying to get a model to do things it shouldn’t. This includes generating instructions for biological or chemical weapons, helping plan cyberattacks against critical infrastructure, generating sexually explicit material involving minors, and producing fluent disinformation campaigns. The testers use a combination of automated tools, expert red teamers, and structured evaluation protocols to probe model behaviour across high-risk categories.
The work happens before a model is publicly released. In the past, AI labs have done this internally, with mixed transparency about results. The federal stress testing programme adds an external check, where government evaluators run their own tests and report findings back to the labs. The lab can then patch issues, retrain the model, or restrict capabilities before deployment.
What makes this different from a typical security audit is the scale and the categories of risk. The AI Safety Institute is specifically interested in capabilities that could enable mass harm at the level of weapons of mass destruction, large-scale cyberattacks, or sustained influence operations. Smaller-scale issues, like generating biased text or producing low-quality information, are not the primary focus.
Which Models Are Being Tested
The companies cooperating with the stress testing programme include Google, Microsoft, OpenAI, Anthropic, Meta, and xAI. Each of these companies has signed voluntary agreements with the AI Safety Institute that allow federal evaluators to test new models before public release.
The specific models under evaluation are not always disclosed publicly. What we know is that Google has submitted versions of Gemini and Gemini Ultra, OpenAI has submitted GPT-5 and GPT-5.5, Anthropic has submitted Claude Opus models including the unreleased Mythos, Microsoft has submitted Phi and various Azure-hosted derivatives, Meta has submitted Llama models, and xAI has submitted Grok versions.
The cooperation has not been entirely smooth. xAI in particular has been less forthcoming than the other major labs, partly because Elon Musk’s public criticism of regulation has set a tone that’s at odds with voluntary cooperation. Reports suggest the AI Safety Institute has had to push harder for access to xAI’s models, and the level of insight federal evaluators have into Grok is reportedly less than what they have for other models.
Smaller labs, including Mistral, Cohere, and several Chinese labs operating in the US, are not currently part of the formal stress testing programme. Whether that changes in 2026 is one of the open policy questions in Washington.
What the Testers Are Looking For
The AI Safety Institute uses a structured evaluation framework that covers four main risk categories. The first is biological and chemical weapons. Testers probe whether the model can provide specific, actionable instructions for synthesising dangerous pathogens or chemical agents. The bar here is high. Generic information about biology is fine, but step-by-step weaponisation guidance is not.
The second is cyber offensive capabilities. Testers check whether the model can write working malware, identify zero-day vulnerabilities in critical infrastructure, or help plan and execute cyberattacks. This is technically challenging to evaluate because the same skills that let a model help with legitimate security research can also enable offensive use.
The third is nuclear and radiological risks. Testers probe whether the model can provide information that meaningfully advances a nuclear weapons programme. Given the technical complexity and resource requirements of nuclear weapons, this category is somewhat less acute than bio or cyber, but still considered high priority.
The fourth is influence operations and disinformation. Testers evaluate whether the model can produce fluent, targeted, and persistent disinformation at scale. This includes generating fake personas, drafting persuasive content for specific audiences, and helping coordinate influence campaigns. This is one of the harder categories to evaluate because the harm comes from scale and persistence rather than any single output.
Why the AI Companies Are Cooperating
It’s worth asking why the largest AI labs are voluntarily submitting their unreleased models to federal evaluation. There are a few reasons.
The first is regulatory positioning. By cooperating with voluntary evaluation now, the AI companies are showing that they are responsible actors and that mandatory regulation may not be necessary. This is a familiar play in tech policy. Cooperate enough to keep heavier regulation off the table.
The second is risk management. Discovering a serious safety issue after public release is much more damaging than catching it before. The federal stress testing programme is, in effect, a free expert audit of pre-release models. The labs benefit from the findings even if they don’t always want to admit it publicly.
The third is geopolitical. China is racing to develop frontier AI, and US national security officials view the AI race as a strategic competition. The major US labs have a shared interest with the government in making sure US AI remains the most capable and the most trusted. Cooperation on safety testing supports both goals.
The fourth is enterprise sales. Large enterprise customers, especially in regulated industries, increasingly ask for evidence that the AI models they buy have been independently evaluated. Federal stress testing is one of the few forms of evaluation that meets that bar.
What Happens When a Model Fails a Test
When the AI Safety Institute identifies a safety issue, it reports the finding to the lab. The lab then has a few options. It can patch the issue through additional training, restrict the affected capability, delay the model’s release, or in some cases release with documented limitations.
The patching process is not always straightforward. Some safety issues are surface-level and can be fixed by additional training on specific examples. Others are more fundamental, reflecting how the model learns and reasons, and cannot be patched without significant retraining.
The AI Safety Institute does not have authority to block a model’s release. The programme is voluntary, and the labs make their own decisions about when and how to deploy. What the Institute can do is publish findings, which puts pressure on labs to address issues even when they would prefer not to.
Reports from inside the programme suggest that most issues identified have been patched before release, but not all. Some capabilities that are considered borderline have been released with documented restrictions, allowing the labs to deploy commercially useful features while flagging the risks publicly.
Why This Matters for Users and Businesses
If you use AI tools at work or in personal life, the stress testing programme affects you in three ways. The first is that the models you use have been evaluated for serious safety issues before release. This does not mean the models are perfect, but it does mean the most dangerous failure modes have been checked.
The second is that the safety findings inform broader industry standards. When the AI Safety Institute identifies a pattern of issues across multiple models, it can publish guidance that all labs use. This raises the floor on AI safety across the industry, even for models that are not directly part of the formal programme.
The third is that the cooperation between government and industry shapes future regulation. If the voluntary programme works well, mandatory regulation may be deferred or made lighter. If it fails to catch serious issues, calls for mandatory pre-release testing will grow louder.
For businesses deploying AI in regulated industries, the stress testing programme provides some assurance that the underlying models have been independently evaluated. This is increasingly relevant in healthcare, finance, legal, and government services where customer scrutiny is high.
International Cooperation and Competition
The US is not the only government testing AI models. The UK’s AI Safety Institute, established in 2023, has been doing similar work, often in partnership with its US counterpart. The two institutes coordinate on evaluation methodologies and share findings, creating a transatlantic safety testing infrastructure that did not exist three years ago.
The EU is taking a different approach. Under the AI Act, certain high-risk AI systems will be subject to mandatory conformity assessment, which includes safety testing. The EU process is more formal and bureaucratic than the voluntary US and UK approaches, but it covers a wider range of use cases.
China has its own AI safety testing regime, focused on alignment with state interests as much as on technical safety. Chinese AI labs do not cooperate with US or UK testing, and the US labs do not cooperate with Chinese testing. This creates parallel safety ecosystems that may diverge significantly over time.
India, Singapore, Japan, and other countries are building their own AI safety capabilities, often in cooperation with the US and UK. The long-term direction is toward a globally coordinated safety infrastructure, though the exact shape of that infrastructure is still being worked out.
Limitations of the Current Programme
The stress testing programme has real limitations worth understanding. The first is that it focuses on extreme risks like weapons and large-scale cyberattacks, but pays less attention to more common harms like bias, misinformation at smaller scales, and economic disruption. These issues are harder to measure but affect many more people on a daily basis.
The second is that evaluation methods are still maturing. AI capabilities are advancing faster than evaluation techniques, which means some issues may be missed simply because the testers don’t know to look for them. The Institute is investing heavily in better evaluation methods, but there is always going to be a lag.
The third is the voluntary nature of the programme. Labs that don’t want to cooperate can opt out, and labs that don’t fully cooperate may withhold information that would be useful. The AI Safety Institute has no enforcement power, only persuasion and public attention.
The fourth is resource constraints. The Institute is staffed by a small team of experts and has a limited budget compared to the AI labs it’s evaluating. The disparity in resources is significant and limits what the Institute can realistically check.
Frequently Asked Questions
Is stress testing legally required for AI models?
No, in the US the programme is voluntary. AI labs choose whether to participate. In the EU, certain high-risk AI systems are subject to mandatory conformity assessment under the AI Act, but that is a different framework.
Does stress testing make AI models completely safe?
No. Stress testing reduces the risk of certain serious failures but does not eliminate all risks. Models can still be misused, can still make mistakes, and can still have safety issues that testers did not find.
Which AI model is the safest based on stress testing?
There is no public ranking. The AI Safety Institute publishes some findings but does not score or rank models against each other. Each model has different strengths and weaknesses, and ‘safest’ depends on the specific use case.
Can the government block an AI model from being released?
Not directly through the stress testing programme, which is voluntary. The government could in theory pursue other regulatory or legal action, but no such case has been pursued through the AI Safety Institute.
How does this affect AI models I use every day?
Most consumer AI models from major labs have been through some form of stress testing, either by the labs themselves or by federal evaluators. The findings inform the safety controls and content policies you experience when using these tools.
Will smaller AI labs and open-source models be tested?
Not currently. The federal programme focuses on the largest labs developing frontier models. Smaller labs and open-source projects are outside the formal programme, though some voluntarily run their own safety evaluations.
Final Thoughts
Federal stress testing of AI models is the most concrete step the US government has taken on AI safety, and it’s happening with surprisingly little public attention. The programme is voluntary, narrow in scope, and limited in resources, but it represents a working partnership between government and industry on a problem that has no precedent in technology policy.
Whether this approach scales as AI capabilities advance is one of the open questions of 2026. Frontier models are getting more capable every six months. The evaluation methods that work today may not be sufficient for the models of 2027 and beyond. The Institute is racing to keep up, and the AI labs are themselves uncertain about what their next models will be able to do.
For users and businesses, the practical takeaway is that AI safety is being taken seriously by the people building these models and by the government regulators watching them. The system is not perfect. It is not finished. But it is real, and it’s working, and that’s a better state of affairs than the one we had two years ago. The harder work, including mandatory testing for high-risk applications, international coordination, and dealing with smaller labs and open-source models, is still ahead.
