SL5 Compliance Heatmap
Track Security Level 5 (SL5) compliance of major AI labs. This data is compiled from public sources, is open-source, and updates daily using advanced Large Language Models to provide the latest insights into frontier model security.
31%
OpenAI
2/173 at 100%
46%
Anthropic
2/173 at 100%
27%
3/173 at 100%
9%
xAI
0/173 at 100%
9%
Meta
0/173 at 100%
OpenAI
Anthropic
Google
xAI
Meta
SL1
A system that can likely thwart amateur attempts (OC1). This includes the operations of many hobbyist hackers, as well as more experienced hackers who implement completely untargeted "spray and pray" attacks.
Weight Security
Weight Storage
Sensitive data remain internal.
75%
75%
50%
25%
0%
Weight encryption (best effort)
0%
50%
50%
50%
0%
Physical Security
Data centers of cloud providers
75%
75%
75%
25%
25%
Access Control
Access control for sensitive assets
75%
75%
50%
25%
0%
Access log or audit trail
25%
75%
50%
25%
0%
Security of Network and Other (Nonweight) Sensitive Assets
Software
Moderately frequent software update management and compliance monitoring
25%
75%
50%
25%
25%
Access, Permissions, and Credentials
Least privilege principle
75%
75%
50%
25%
0%
Restrictions on device and account sharing
50%
75%
0%
25%
0%
Password best practices
0%
75%
0%
25%
0%
Multifactor authentication
50%
75%
0%
25%
0%
Single Sign-On (SSO)
75%
0%
0%
75%
0%
Backup and recovery tools
25%
0%
25%
25%
0%
Commercial identity and access management (IAM) tools
75%
75%
75%
25%
0%
Zero Trust architecture (adherence to at least the standards in the "Traditional" level of CISA's Zero Trust Maturity Model)
75%
75%
50%
0%
25%
Hardware
Modern device architectures that establish root of trust and block malicious code execution
50%
25%
25%
25%
0%
CPU anti-exploitation features
0%
0%
0%
0%
25%
Supply Chain
The reputability of software is reviewed before incorporation.
0%
75%
50%
0%
0%
Security Tooling
Modern authentication infrastructure
75%
75%
50%
25%
0%
Commercial network security solutions
75%
75%
0%
0%
50%
Commercial endpoint security solutions
50%
50%
25%
25%
0%
Reliance on standard security infrastructure (depending on circumstances)
75%
100%
0%
25%
0%
Configuration Management
Enforce screen locks for inactivity
0%
0%
0%
0%
0%
Personnel Security
Awareness and Training
Basic onboarding information security training for employees
0%
25%
50%
0%
0%
Security Assurance and Testing
Risk and Security Assessments
Internal reviews
0%
75%
50%
0%
0%
Security Team Capacity
Basic incident response capabilities
50%
75%
0%
25%
50%
Maintenance
Information security news monitoring and implementation
25%
75%
50%
0%
50%
SL2
A system that can likely thwart most professional opportunistic efforts by attackers that execute moderate-effort or nontargeted attacks (OC2). This includes the operations of many professional individual hackers, as well as capable hacker groups when executing untargeted or lower-priority attacks.
Implementation of Previous Security Levels
The organization has implemented all the controls from SL1.
50%
50%
0%
0%
25%
Weight Security
Weight Storage
Storage location (e.g., weights are stored exclusively on servers and not on local devices)
100%
50%
25%
0%
0%
Encryption (e.g., all keys are secured in a key management system)
50%
75%
50%
0%
0%
Security During Transport and Use
Encryption in transit (e.g., not transporting weights over public or unencrypted channels)
50%
50%
75%
25%
25%
Physical Security
Data centers are guarded, and only people with authorization are allowed inside.
75%
0%
100%
25%
50%
Visitor access is restricted and logged.
25%
0%
75%
0%
0%
Access Control
Restrictions on sensitive interactions (e.g., require multifactor authentication using FIDO authentication/hardware security keys)
25%
50%
0%
0%
0%
Monitoring
Logging of all sensitive interactions
0%
75%
0%
25%
25%
Regulation and monitoring of weight copies across the organization network
25%
75%
50%
0%
0%
AI Model Resilience
Model Robustness
Input reconstruction (e.g., during inference, a privately known prefix is added ahead of the user prompt)
0%
0%
0%
0%
0%
Adversarial training
75%
25%
50%
25%
0%
Security of Network and Other (Nonweight) Sensitive Assets
Software
Frequent software update management and compliance monitoring
50%
75%
50%
0%
25%
Access, Permissions, and Credentials
Strong password enforcement
50%
75%
0%
25%
0%
The work network is separate from the guest network.
0%
0%
0%
0%
0%
Guest accounts disabled whenever possible
0%
0%
0%
0%
0%
Strong access management tools
75%
75%
50%
25%
50%
Zero Trust architecture (adherence to at least the standards in the "Initial" level of CISA's Zero Trust Maturity Model)
0%
25%
50%
0%
0%
Hardware
Lost or stolen devices reported
0%
0%
0%
0%
0%
All network devices are visible and trackable.
0%
50%
0%
0%
0%
Supply Chain
Review of vendor and supplier security
25%
25%
50%
25%
0%
Security Tooling
Disk encryption
25%
75%
75%
25%
0%
Network communications are encrypted by default.
50%
50%
100%
50%
0%
Email security tools
0%
0%
0%
0%
0%
Use of integrated security approaches, such as eXtended Detection and Response (XDR)
0%
0%
50%
0%
0%
Configuration Management
Incorporate fundamental infrastructure and policies for Security-by-Design and Security-by-Default
75%
75%
50%
50%
25%
Configuration management monitoring
50%
75%
50%
0%
0%
Physical Security
Office security
25%
75%
0%
0%
0%
Careful disposal of printed materials
0%
0%
0%
0%
0%
Personnel Security
Awareness and Training
Periodic mandatory information security training for all employees
25%
25%
50%
75%
0%
Employee training on configuration errors and their security implications
0%
25%
0%
25%
0%
Filtering and Monitoring
Installation of monitoring software for secure network access
50%
75%
0%
0%
25%
Active drills to identify and educate noncompliant employees
0%
0%
0%
25%
0%
Security Assurance and Testing
Red-Teaming and Penetration Testing
Mandatory external reviews
50%
50%
25%
0%
0%
Community Involvement and Reporting
Bug-bounty and vulnerability-discovery programs
50%
75%
75%
25%
50%
Software Development Process
Secure software development standards (compliance with NIST's Secure Software Development Framework)
50%
75%
75%
0%
25%
Incident Response
Protocols and funding for rapid incident response
50%
75%
75%
25%
25%
Incident reporting
50%
75%
25%
25%
0%
Security Team Capacity
Constant availability of qualified personnel
25%
25%
75%
50%
0%
Maintenance
Continuous vulnerability management and adaptation to information security developments
75%
75%
75%
25%
0%
Other Organization Policies
Promotion of a security mindset by organization management
75%
75%
75%
25%
25%
Stringent remote work policies
0%
0%
25%
0%
0%
SL3
A system that can likely thwart cybercrime syndicates or insider threats (OC3). This includes the operations of many world-renowned criminal hacker groups, well-resourced terrorist organizations, disgruntled employees, and industrial espionage organizations.
Implementation of Previous Security Levels
The organization has implemented all the controls from SL1 and SL2.
0%
75%
0%
0%
0%
Weight Security
Weight Storage
Centralized and restricted management of weight storage
75%
75%
50%
0%
0%
Secure cloud network (if applicable)
50%
75%
75%
25%
0%
Dedicated devices for weights and weight security data
0%
0%
50%
0%
0%
Physical Security
Data centers are guarded or locked at all times.
75%
75%
100%
25%
25%
Premises are swept for intruders frequently (e.g., hourly).
0%
25%
0%
0%
0%
Premises are meticulously swept for unauthorized devices routinely (e.g., monthly).
0%
50%
25%
0%
0%
Permitted Interfaces
Authorized users who interact with the weights do so only through a software interface that reduces risk of the weights being illegitimately copied.
100%
75%
25%
0%
0%
Any code accessing the weights minimizes attack surface, provides only simple forms of access, and uses the minimal amount of (highly trusted and well-established) external code necessary.
50%
75%
50%
0%
25%
Avoiding model interactions that bypass monitoring or constraints
25%
75%
50%
0%
75%
Access Control
Protocols and policies for sensitive interactions (e.g., access to the various permitted interfaces to the weights is stringently controlled, multiparty authorization, security reviews, etc.)
50%
100%
50%
0%
25%
Monitoring
Ongoing manual monitoring of sensitive interactions
25%
75%
25%
0%
0%
Ongoing automated anomaly detection
25%
75%
25%
0%
0%
Automated and manual monitoring/blocking of potentially malicious queries
75%
75%
50%
25%
75%
Frequent compromise assessment
0%
75%
75%
25%
0%
Frequent integrity checks via comparison against a baseline system configuration ("gold image")
0%
0%
0%
0%
0%
Standard Compliance
Implementation of measures described by NIST SP 800-171 or equivalent
25%
75%
25%
0%
0%
Future implementation of measures described by CMMC 2.0 Level 3
50%
75%
0%
0%
0%
AI Model Resilience
Model Robustness
Adversarial input detection
50%
75%
0%
0%
75%
Oracle Protection
Limitations on the number of inferences using the same credentials
75%
75%
50%
25%
0%
Security of Network and Other (Nonweight) Sensitive Assets
Software
Very frequent software update management and compliance monitoring
25%
75%
25%
0%
25%
Access, Permissions, and Credentials
802.1x authentication
0%
0%
0%
0%
0%
Zero Trust architecture (adherence to at least the standards in the "Advanced" level of CISA's Zero Trust Maturity Model)
25%
50%
50%
0%
0%
Hardware
Security-minded hardware sourcing
50%
0%
75%
0%
0%
Supply Chain
Software inventory management
25%
75%
50%
0%
0%
Supply chain security is commensurate with the organization's security
25%
75%
0%
0%
0%
Security Tooling
Enforcement of security policies through code rather than manual compliance
25%
75%
25%
0%
0%
Security policy enforcement for network access across devices
50%
75%
50%
25%
25%
Personnel Security
Awareness and Training
Employee awareness of weight interaction monitoring
25%
50%
0%
25%
0%
Security training for employees (not necessarily only those with access)
50%
50%
0%
75%
0%
Security risk reporting program
75%
75%
50%
50%
25%
Filtering and Monitoring
Insider threat program
50%
50%
0%
0%
0%
Security Assurance and Testing
Red-Teaming and Penetration Testing
Ongoing penetration testing
75%
75%
50%
0%
0%
Penetration testing of physical access and facility security
25%
50%
0%
0%
0%
Advanced red-teaming: Elite external team
75%
75%
0%
0%
25%
Advanced red-teaming: Substantial funding
75%
75%
75%
0%
0%
Advanced red-teaming: Access to design and code
50%
50%
50%
0%
0%
Advanced red-teaming: Testing insider threats
50%
75%
75%
0%
25%
Advanced red-teaming: Expanded access
75%
75%
25%
0%
50%
Advanced red-teaming: Attention to the weights and authentication
50%
75%
75%
25%
25%
Risk and Security Assessments
Keeping a risk register
75%
50%
50%
0%
50%
Threat Detection and Response
Placement of effective honeypots
0%
0%
0%
0%
0%
Security Team Capacity
General increased capacity (compared with SL2)
50%
75%
0%
0%
0%
Concrete experience with APTs
50%
75%
75%
0%
0%
Leveraging diverse security experience from leading organizations
25%
75%
0%
50%
0%
Other Organization Policies
Two independent security layers
75%
50%
25%
0%
0%
SL4
A system that can likely thwart most standard operations by leading cyber-capable institutions (OC4). This includes the operations of many of the world's leading state-sponsored groups, many intelligence agencies across the world, and the top cyber-capable nations worldwide, which are able to execute such operations more than 100 times a year.
Implementation of Previous Security Levels
The organization has implemented all the controls from SL1–SL3.
0%
75%
0%
0%
0%
Weight Security
Weight Storage
Isolation of weight storage
25%
50%
0%
0%
0%
Weight storage setup is protected against eavesdropping and the simplest of TEMPEST attacks.
0%
25%
0%
0%
0%
Hardware-enforced limits on output rate
0%
25%
0%
0%
0%
Reduced communication capabilities
0%
0%
0%
0%
0%
Security During Transport and Use
Confidential computing (when available)
25%
75%
75%
0%
50%
Physical Security
Increased guarding (compared with SL3) via manned and digital systems
0%
25%
0%
0%
0%
Meticulous logging of all access
0%
50%
50%
0%
0%
Prohibiting devices near the setup
0%
0%
0%
0%
0%
Permitted Interfaces
Specialized hardware for all external interfaces
0%
0%
0%
0%
0%
Monitoring
Enforcement of time-buffered review (software limitation)
0%
0%
0%
0%
0%
Protection of the monitoring logs at the hardware level
0%
0%
0%
0%
50%
Comprehensive anomaly detection and alert system over the monitoring logs
0%
25%
0%
0%
0%
AI Model Resilience
Model Robustness
Adversarial output detection
0%
0%
0%
0%
25%
Oracle Protection
Output reconstruction
0%
0%
0%
0%
0%
Security of Network and Other (Nonweight) Sensitive Assets
Software
Limiting the attack surface (e.g., the limited interaction interfaces of a Chromebook)
75%
50%
0%
0%
0%
Access, Permissions, and Credentials
Enforcement of strong random passwords and keys for enhanced security
0%
50%
0%
0%
0%
Zero Trust architecture (adherence to at least the standards in the "Optimal" level of CISA's Zero Trust Maturity Model)
25%
50%
50%
0%
0%
Hardware
All hardware used on devices must undergo source-code auditing and be validated as secure.
0%
25%
0%
0%
0%
Secure hardware required for access
25%
25%
75%
0%
0%
Ongoing compromise assessment on all devices with access (server or employee)
25%
50%
0%
0%
0%
Supply Chain
Strict application allowlisting (especially for sandboxes)
50%
0%
0%
0%
0%
SLSA Level 3 specification for all software used
0%
25%
25%
0%
0%
Security Tooling
Significant investment in advanced security systems
75%
75%
75%
25%
25%
Physical Security
Banning of unauthorized devices
0%
75%
0%
0%
0%
Personnel Security
Filtering and Monitoring
Preventing third-party access and reporting suspected illegitimate incidents
0%
75%
0%
25%
25%
Advanced insider threat program
50%
75%
25%
0%
0%
Occasional employee integrity testing
0%
0%
0%
0%
0%
Security Assurance and Testing
Red-Teaming and Penetration Testing
Ongoing research and red-teaming to identify potential attack methods on the weight interface(s)
50%
50%
75%
0%
50%
Ensuring physical security through red-teaming
50%
75%
25%
0%
0%
Experience dealing with intelligence agencies
50%
75%
0%
0%
75%
Risk and Security Assessments
Automated weight exfiltration attempts
0%
75%
0%
0%
0%
Manual weight exfiltration attempts
25%
75%
0%
0%
0%
Compliance with the FedRAMP High standards for security
50%
75%
25%
0%
25%
Security Team Capacity
General increased capacity (compared with SL3)
0%
0%
25%
0%
0%
Greater concrete experience with APTs (compared with SL3)
25%
25%
75%
0%
0%
Zero-day vulnerability discovery capabilities
0%
25%
50%
0%
0%
The security team is empowered to not compromise security over other stakeholders.
25%
75%
0%
0%
0%
Other Organization Policies
Designating sensitive details of the weight security system
0%
0%
0%
0%
0%
Vetting of investors and other positions of influence
0%
0%
0%
0%
0%
Prioritizing leak prevention over other organizational goals
0%
75%
0%
0%
0%
Four independent security layers
75%
75%
50%
0%
0%
SL5
A system that could plausibly be claimed to thwart most top-priority operations by the top cyber-capable institutions (OC5). This includes the handful of operations prioritized by the world's most capable nation-states.
Implementation of Previous Security Levels
The organization has implemented all the controls from SL1–SL4.
50%
0%
0%
0%
0%
Weight Security
Weight Storage
Extreme isolation of weight storage (completely isolated network)
25%
0%
0%
0%
0%
Advanced preventive measures for side-channel attacks (e.g., noise injection, time delays, and other tools)
0%
0%
25%
0%
0%
Formal hardware verification of key components
0%
0%
0%
0%
0%
Physical Security
Increased significant guarding (compared with SL4) via multiple armed guards and digital security systems at all times.
25%
0%
0%
25%
0%
Supervised access for everyone
0%
0%
0%
0%
0%
Routine rigorous device inspections
0%
75%
0%
0%
0%
Disabling of most communication at the hardware level
0%
25%
0%
0%
0%
Permitted Interfaces
Strict limitation of external connections to the completely isolated network
25%
25%
0%
0%
0%
Access Control
Irrecoverable key policy (barring alternative access or key retrieval systems)
0%
0%
0%
0%
0%
Standard Compliance
Protection equivalent to that required for Top Secret (TS)/Sensitive Compartmented Information (SCI)
50%
50%
25%
0%
0%
AI Model Resilience
Oracle Protection
Constant inference time
0%
0%
0%
0%
0%
Security of Network and Other (Nonweight) Sensitive Assets
Supply Chain
Strong limitations on software providers (e.g., only developed internally or by an extremely reliable source)
0%
0%
0%
0%
0%
Strong limitations on hardware providers (e.g., only developed internally or by an extremely reliable source)
0%
0%
25%
0%
0%
Personnel Security
Personal Protection
Proactive protection of executives and individuals handling sensitive materials
0%
0%
0%
0%
0%
Security Assurance and Testing
Red-Teaming and Penetration Testing
Proactive search for crucial vulnerabilities (e.g., zero-days)
25%
0%
25%
0%
50%
Maintenance
Security is strongly prioritized over availability (e.g., barring connecting external devices to the completely isolated network to debug a critical production issue).
50%
25%
25%
0%
0%
Other Organization Policies
Eight independent security layers
0%
50%
0%
0%
0%
0% Compliant
25% Compliant
50% Compliant
75% Compliant
100% Compliant