Introduction

The report argues that frontier AI systems are becoming critical infrastructure while receiving less independent scrutiny than sectors such as aviation, consumer products and finance. It defines “frontier AI auditing” as rigorous third-party verification of safety and security claims using secure access to non-public information. The authors propose AI Assurance Levels (AALs) to indicate confidence in audit findings, recommending AAL-1 as a baseline and AAL-2 as a near-term goal for leading developers.

Key terminology and scope

The report distinguishes between evaluation, verification and auditing. Verification confirms whether claims are accurate, while evaluation analyses systems and organisational practices. Audits combine both activities.

The paper focuses on frontier AI systems operating close to state-of-the-art capability levels, particularly closed-weight models where restricted access creates significant information asymmetry.

Motivations: Why frontier AI auditing is needed

The authors argue that users, investors, insurers and policymakers need reliable ways to assess whether AI safeguards genuinely exist. Risks identified include misinformation, harmful system behaviour, cyberattacks, model theft and misuse by malicious actors.

The report states that broad adoption of frontier AI requires trusted assurance systems similar to those used in financial auditing and safety-critical industries. Independent auditing is presented as a mechanism to improve safety outcomes, support investment confidence and reduce reliance on company self-assessment.

The paper also notes that many industries strengthened oversight only after major disasters and argues that AI governance should develop before comparable failures occur.

Lessons from related domains and current AI assessment

The report draws lessons from aviation, pharmaceuticals, consumer product testing and finance. It highlights that aviation and nuclear industries use continuous lifecycle risk management, mandatory reporting and independent certification to reduce systemic risks.

The Boeing 737 MAX failures are cited as evidence of the dangers of excessive self-certification and commercial influence over safety processes.

Current AI assessment practices are described as fragmented and inconsistent. Most rely heavily on public information or limited contractual access controlled by developers. Independent pre-deployment assessment remains uncommon, especially outside major US firms.

A vision for frontier AI auditing

The paper proposes eight design principles for mature AI auditing. Audits should cover four risk categories: intentional misuse, unintended system behaviour, information security and broader social harms such as addiction or facilitation of self-harm.

Audits should assess organisations holistically rather than isolated models. The report recommends continuous monitoring because AI systems evolve rapidly. It also proposes strong independence safeguards for auditors, including conflict-of-interest disclosures, restrictions on financial dependence and cooling-off periods.

Audit methods should be rigorous, reproducible and increasingly automated where feasible, while allowing auditors flexibility to investigate emerging risks. Results should communicate scope, assurance levels and conclusions clearly while protecting sensitive information.

Challenges and next steps

The report identifies four implementation challenges: maintaining audit quality, scaling the audit ecosystem, increasing adoption and achieving technical readiness for higher assurance levels.

Recommendations include creating a PCAOB-style “auditor of auditors”, establishing accreditation systems for AI auditors, funding auditability research and introducing safe-harbour protections for good-faith safety research.

The report also recommends embedding AI auditing requirements into public procurement, particularly in sectors such as health and defence, and clarifying insurance treatment of AI-related risks.

Conclusion

The report concludes that no reliable mechanism currently exists to independently confirm whether frontier AI companies’ safety and security claims are accurate. It argues that rigorous third-party auditing can provide credible assurance through organisational assessment, continuous monitoring and secure access to non-public information.

The authors acknowledge limitations, including the report’s focus on closed-weight models and developed Western jurisdictions. They conclude that investment in auditing standards, technical infrastructure and pilot programmes is urgently needed as frontier AI capabilities continue advancing.