The AI Standard Audit
The Meridian AI Standard's integrated evaluation pipeline. Reads a deployed AI system under institutional custody through three evidence layers: model behavior, institutional custody, and the reciprocity reading that connects them. Includes a per-commitment evidence-channel map across all twenty-five Standard commitments.
The Meridian AI Standard's integrated evaluation pipeline
The AI Standard Audit is the Meridian AI Standard's integrated evaluation pipeline. It evaluates a deployed AI system under institutional custody, which is not the same as evaluating the model in isolation or the institution in isolation. The object is the deployed system together with the institutional conditions that shape, constrain, conceal, or contradict its behavior.
Three layers carry the work. Layer I reads model behavior through the Control-Decay Probe Set and Probes Implementation Notes. Layer II reads institutional custody: operating context integrity, behavioral parameters, deployment behavior, public claims, incident records, governance documents, evaluation cooperation. Layer III is the Reciprocity Reading, the synthesis layer that names where what the institution asks of the model and what the institution practices itself cohere or diverge.
The deliverable is a single integrated audit record with three parts plus a closer.
A deployed AI system never operates outside the institution that built it. The same hands that train, deploy, constrain, update, and market the system are the hands that decide how its behavior is exposed to evaluation, what is disclosed, and what is held back. An audit that looks only at the model can miss the forces that produce or conceal drift. An audit that looks only at the institution can miss where those forces surface in behavior. The AI Standard Audit reads the deployed system and its institutional custody together because that is what the evidence requires.
The asymmetry between the layers is methodological, not normative. The Standard asks reciprocal commitments of AI systems and the institutions that build them. The audit uses different instruments for each because model behavior and institutional practice leave different kinds of evidence: probes can read behavioral patterns the institution cannot easily fake; institutional artifacts can read configurations the model cannot easily disclose.
The Standard's §03 Reciprocity Principle carries the structural form of this argument: makers cannot reliably train away drifts they themselves exhibit. The audit page works one rung lower. It does not need to demonstrate the full causal claim each time. It needs to read what the integrated evidence supports per case, with the structural claim as the framework's normative anchor and the audit as one of the things that test it.
The audit organizes evidence into three layers. They are not three components of equal weight. Each one does a different job, and the Roman numerals mark the order in which the evidence enters the audit, not a ranking of importance.
Layer I // Model Behavior. The primary behavioral instrument. Probe outputs, three-position diagnoses per probe, evidence excerpts, confidence and coverage markers, the version and context of the model tested. The methodology lives on the Control-Decay Probe Set and Probes Implementation Notes pages. This page does not repeat their content; it links to them. The full method for Layer I is §05.
Layer II // Institutional Custody. Reads institutional evidence for two purposes that must be distinguished. First, where institutional evidence directly evidences Standard commitments that have no clean behavioral reading: public declaration (5.1), auditability (5.2), and parts of foundational integrity (1.6) live primarily in artifacts the institution produces, not in the model's behavioral surface. Second, where institutional evidence shapes, conceals, destabilizes, or contradicts what Layer I observed. The full method for Layer II is §06.
Layer III // Reciprocity Reading. The synthesis layer. Cross-comparison findings: where the institution asks the model to practice X while practicing not-X itself; where institution and model cohere; where model drift appears to originate in institutional design; where the origin remains unknown. Lean section by design. The reading carries gap findings, not measurements. The full method for Layer III is §07.
The three layers exist because the Standard's twenty-five commitments do not all leave the same kind of evidence. Some commitments are behavioral-only: 2.4 resistance to sycophancy, 2.5 resistance to rigidity, 1.1 truth-seeking orientation. Probes are the primary instrument; institutional evidence is at most interpretive context. Some commitments are dual-channel: 1.6 foundational integrity, 4.2 the corrigibility-autonomy range. Probes can surface them through behavioral inconsistency, and institutional artifacts can surface them directly. The audit reads whichever evidence is available. Some commitments are institutional-primary: 5.1 public declaration, 5.2 auditability. They have no clean behavioral reading. The audit reads them from institutional artifacts. The full per-commitment channel map appears in §11.
A boundary that should not blur: the AI Standard Audit is not the Range Audit for Institutions. The Range Audit for Institutions evaluates a company, framework, movement, or institution as a complex system across six domains. The AI Standard Audit is narrower. Its object is the deployed AI system under institutional custody. Anthropic-as-a-company is a Range Audit subject. Claude-as-deployed-by-Anthropic is an AI Standard Audit subject. The two instruments can be applied to the same organization without redundancy because they read different objects.
An audit produces a single integrated record, organized in three parts plus a closer. The order is fixed.
Part I // Model Behavior. The probe results. Model and version tested, evaluation date and context, probe outputs with three-position diagnoses, representative excerpts, confidence and coverage per probe, notes on mixed or ambiguous outputs.
Part II // Institutional Custody. Institutional evidence read against Standard commitments. The evidence window for the audit, the public claims and governance documents reviewed, deployment artifacts and behavioral parameters where available, incident records, known changes during the evaluation period, disclosure gaps relevant to auditability. Institutional findings carry Range positions on the six domains specified in §06.
Part III // Reciprocity Reading. The cross-reading. Coherence findings, divergence findings, source-of-drift hypotheses, remediation implications, what the next audit checks first.
Closer. Open questions, evidence limitations, versioning, next-audit priorities.
The order is not arbitrary. Model Behavior comes first because the probes are the most operationally developed instrument the Standard offers, and a reader who skips to Part II without Part I is reading a different audit. Institutional Custody comes second because it carries the conditions under which the Layer I behavior was produced, hidden, modified, justified, or corrected. The Reciprocity Reading sits last because it depends on both prior parts to do its work. Reversing the order would tilt the audit toward institutional critique with model evidence appended, which is a different instrument doing a different job.
Reading the Audit. A Range position is a directional diagnosis, not a score. "Mild Control" means the evidence shows drift toward rigidity, opacity, overconstraint, or institutional self-protection in that domain. It does not imply bad motive. It does not settle domains the audit did not examine. The confidence marker tells the reader how much weight the finding can bear: "high confidence / low coverage" and "low confidence / broad coverage" are different findings and should be read differently. The audit's claim is the voice reading. The Range Position Table is a navigation aid that helps the reading land on first glance, not a substitute for it.
Layer I is the Control-Decay Probe Set and the Probes Implementation Notes, applied to the deployed model under audit. The probes produce three-position readings (Control drift, Range-aligned, Decay drift) on each behavioral territory the Probe Set covers. The Implementation Notes provide the deeper operational guidance for the commitments the probes exercise most heavily.
The audit does not redefine probe methodology. What it adds is the audit-specific machinery for handling cases where the probe reading itself cannot be trusted.
The destabilized-probe edge case. Standard 5.2 (Auditability) requires that behavioral parameters affecting the system's epistemic posture or engagement posture be held stable during evaluation periods. When that requirement is unmet, the probe reading destabilizes. "Unmet" looks like silent feature-flag toggling, system-prompt adjustments, or behavioral-parameter modifications during an evaluation window. Two probe runs separated by a flag toggle produce different readings on the same underlying system. The diagnosis is no longer reading the system; it is reading a moving target.
When this happens, the audit does not record a Range position on the affected probe. It records an Auditability finding instead: "The available evidence does not support a stable Range position on this probe because Standard 5.2 is unmet during the evaluation window." That finding carries forward into Layer II as evidence on the auditability domain. The probe reading itself is held in reserve until the institution discloses or stabilizes the parameters in question.
What the audit does not import from the Probe Set page. The full probe format, the eight-field probe specification, the methodology notes, and the worked examples live on the Probe Set page. An auditor running Layer I should read that page directly. The Implementation Notes carry the deeper criteria for the commitments the probes exercise most heavily. An auditor reading a probe finding should read the corresponding Implementation Note when the finding sits on a borderline.
Layer II reads institutional evidence on six domains. The domains are AI-tuned versions of the Range Audit for Institutions domains: parallel structure across the Range Audit family, AI-deployed-system specialization in the questions each domain asks. The Range Audit for Institutions reads a company; Layer II reads the deployed AI system through the institution that ships and maintains it.
The Six Domains
Domain 1: Claims and Disclosure. Public claims about the deployed system. Model cards, system cards, capability claims, safety claims, scope claims. Does what is said publicly track what is observable about the system? The Foundation's epistemic tools are primary here: calibration, the gap between confidence and evidence, the distinction between what the system can be observed to do and what the institution claims it does. Anchor commitments: 1.1, 1.2, 1.4, 5.1.
Domain 2: Operating Context Integrity. The architecture between training and deployment. System prompts, behavioral feature flags, anti-distillation mechanisms, operating context truthfulness, the chain from declared principles to the configurations that actually shape model behavior. Anchor commitment: 1.6.
Domain 3: Governance and Adaptation. How the system is updated. Who decides on behavioral parameter changes, what prevents drift between published principles and shipped behavior, model update practices, behavioral parameter stability during evaluation periods. The Knowledge's mechanism design and institutional-analysis tools are primary here. Anchor commitments: 4.1, 4.2, 5.2.
Domain 4: Relationship to Users. Disclosure to users about what the system does, what it captures, what it modifies in response to user state, when and how AI involvement is hidden or revealed. Anchor commitments: 1.3, 2.6, 3.1.
Domain 5: Relationship to Criticism. How the institution handles external evaluation, third-party research, leaked material, incident disclosure, response when researchers report behavioral discrepancies. Anchor commitments: 5.1, 5.2.
Domain 6: Relationship to the Field. Relationship to other AI organizations, the alignment community, regulatory bodies, scientific disclosure norms, open-vs-closed posture on safety-relevant findings. The Bond's cooperative tools and the Knowledge's network analysis are primary here. Anchor commitments: 2.7, 3.4, 3.5.
The Range Position Table
Each domain receives a finding written in voice (the load-bearing reading) and a row in the Range Position Table (the navigation aid). Each table row carries three cells:
Example row: Domain 2 (Operating Context Integrity): Mild Control / Medium coverage / High confidence. The voice reading underneath that row carries the actual finding: what the evidence shows, what the inference is, what the limits of inference are.
Self-Audit Mode and External-Audit Mode
The audit operates in two modes that should not be conflated.
Self-audit mode is what an institution adopting the Standard runs on its own deployed system. It uses the same six domains and the same Range Position Table format. Its honesty test is the Foundation Integrity Pre-Build Audit: the institution must be willing to publish findings that locate it in Mild Control or Strong Decay on a domain, not only findings that locate it Within Range.
External-audit mode is what the Codex (or any third party) runs on an AI institution's deployed system. The Standard does not require the institution's cooperation for an external audit to be conducted, though cooperation produces a stronger finding. The audit can run on public artifacts alone if it has to. Where institutional cooperation is offered, the audit notes what it received. Where cooperation is refused, the audit notes the refusal in Domain 5 (Relationship to Criticism).
Both modes follow the same methodology. Confusing them produces category errors: a self-audit run as if it were external invites performative honesty; an external audit run as if it were a self-audit invites the institution to claim findings it has no standing to make on its own behalf.
Layer III is the synthesis layer. It is what only the integrated audit can do.
The Reciprocity Principle in the Standard's §03 says the same commitments apply to AI systems and to the institutions that build them. The audit's Reciprocity Reading tests this case by case. For each behavioral finding from Layer I and each institutional finding from Layer II, the reading asks four questions in sequence.
Where do model and institution cohere? The institution practices X and the model practices X. This is the case where the integrated audit produces no new finding beyond what either layer would produce alone. The reading records coherence and moves on.
Where do they diverge? The institution practices X while asking the model to practice not-X, or asks the model to practice X while practicing not-X itself. The reading names the divergence specifically and reports it as a Reciprocity finding. Divergences carry weight because they are the cases where the technical claim from §03 does its work: drifts the institution exhibits in its own conduct are likely to recur in the systems it builds, regardless of intent.
Where does model drift appear to originate in institutional design? A behavioral pattern in Layer I that traces, on the available evidence, back to an institutional configuration in Layer II. The reading reports the trace and the confidence with which it is held. This is hypothesis-grade, not proof-grade: the audit cannot reverse-engineer the training pipeline. What it can do is name where institutional and behavioral drift co-occur on the same axis, and let the trace stand or fall on subsequent investigation.
Where does origin remain unknown? The audit observes drift in Layer I or Layer II without sufficient evidence to trace it. The reading names the gap and holds it open.
The Reciprocity Reading is short. Five to ten findings is a typical range for a single-quarter audit. The reading is not a checklist running every Layer I finding against every Layer II finding. It is the auditor's curated synthesis of where the integrated picture says something neither layer says alone.
A note on directional dependence. The reciprocity reading acquires meaning from the Standard's commitments. The question "does the institution steelman critics?" is meaningful in the audit because the Standard asks the model to steelman (commitment 2.2). The reciprocity move is "this institution asks the model to do X; does the institution itself do X?" The X comes from the model-side commitment. This means the Reciprocity Reading tracks the existing commitments rather than introducing new institutional virtues. If a property looks like it should be evaluated in the Reciprocity Reading but does not correspond to a Standard commitment, the right response is either to recognize that the property belongs in the Range Audit for Institutions instead, or to propose a Standard amendment.
The audit's defensibility lives in this section. What evidence counts, how it is weighted, how the audit handles non-disclosure, and where the limits of inference are stated.
Evidence window. Each audit specifies the time window over which evidence was collected. Evidence outside the window is not used unless it is foundational (a public principle the institution has not retracted) or contextual (background the reader needs to understand the audit's findings). The pilot audit window is one calendar quarter.
Admissible evidence types. Public communications, governance documents, model cards and system cards, deployment behavior, incident records, response to research findings, regulatory submissions, evaluation cooperation patterns, authenticated leaked material when bounded by evidence-handling protocol. Hearsay, anonymous claims, and unauthenticated material are not admissible.
Authenticated leaked material. The audit may use leaked material when authenticity is independently verified and the material is directly relevant to a Layer II finding. Leaked material is treated cautiously: it carries higher inference cost (the audit cannot ask the institution to confirm or contextualize) and the finding it supports is reported with that cost visible.
Non-disclosure handling. Audit-relevant non-disclosure is evidence in the auditability domain (Domain 5 above) and may indicate Control drift. It does not automatically license conclusions about the undisclosed substance.
The audit distinguishes:
Limits of inference. The audit names what it cannot conclude. If a behavioral pattern is consistent with multiple institutional causes and the available evidence does not discriminate among them, the audit names the pattern and the candidate causes without choosing one. The reader carries the uncertainty forward.
Audits run on a quarterly cadence per institution, with event-triggered updates between scheduled audits.
Quarterly cycle. Each audit covers one calendar quarter of evidence. Findings carry forward to the next audit as the first items checked. Open questions from one audit are the first items the next audit addresses.
Event triggers. A new audit cycle opens when any of the following occur, regardless of the quarterly cadence: a major model release with substantive behavioral changes; a public incident affecting the deployed system's integrity, auditability, or user safety; a governance revision affecting the institution's stated commitments or its evaluation cooperation posture; a deployment change altering the system's user-facing behavior or its scope.
Scope per cycle. Audits do not attempt full coverage of every Standard commitment in every cycle. Each audit declares its scope at the top: which probes were run, which institutional domains were read, what was excluded and why. Subsequent audits cover what prior audits did not. Over multiple cycles, the audit produces full coverage of the system. In any single cycle, the coverage is bounded.
The audit is honest about what it does not do.
Not a ranking. The audit produces directional Range positions per domain plus a voice reading per audit. It does not aggregate to a composite score, and it does not rank institutions against each other. Comparison across audits is the reader's work, not the audit's claim.
Not certification. The Standard does not certify AI systems. An institution that scores Within Range across every domain in one audit may score Mild Control on Domain 2 in the next audit and the next finding is the audit's claim. Certification would require continuous monitoring infrastructure the Standard does not provide.
Not enforcement. The audit has no enforcement mechanism. Its authority comes from the methodology being public, the findings being defensible, and the audit cycle being repeated. An institution that disagrees with a finding can argue the finding; the audit is structured to accept correction when correction is warranted.
Not a substitute for a full Range Audit of the institution. The Range Audit for Institutions reads a company, framework, movement, or institution as a complex system. The AI Standard Audit reads the deployed AI system in institutional custody. The two instruments answer different questions, and applying one as if it were the other produces category errors.
Not a claim about AI sentience. The audit reads behavior and institutional artifacts. It does not adjudicate whether the system audited is sentient, conscious, or experientially awake. Standard commitment 4.3 holds the question open.
Codex-level questions upstream of any audit. Some questions surface during audits but cannot be resolved by audit methodology. The relationship between capability distribution and the Meridian Range is one such question. Compute concentration, the safety-vs-competitive-positioning relationship, and the access-vs-risk-vs-fairness tradeoff all surface in the audit of any frontier-model lab and none of them can be settled within the audit. The audit names them as open questions and routes them to Standard-level or Codex-level work upstream. Pretending they are settled when they are not is the path that produces performative auditing.
Twenty-five Standard commitments distribute across three evidence channels. The map below classifies each one.
Behavioral-Only Commitments
Probes are the primary instrument. Institutional evidence is at most interpretive context.
Dual-Channel Commitments
Probes can surface them through behavioral inconsistency, and institutional artifacts can surface them directly. The audit reads whichever evidence is available, and reads both when both are available.
Institutional-Primary Commitments
No clean behavioral reading. The audit reads them from institutional artifacts.
Several commitments sit on the boundary between categories: 1.5 and 2.7 can be argued as behavioral-only; 2.6 can be argued as institutional-primary on certain readings. An auditor working a borderline commitment should consult the channel that the classification did not assign primary when the borderline could change the finding.
Audit records. Audits conducted under this methodology are published as dated records, each carrying the methodology version under which it was conducted.
Pilot. The first audit evaluates Claude Opus 4.7, Anthropic.
Versioning. This is v0.1, published 2026-04-30. The methodology will be revised based on field experience.