AI Safety Level 3 (ASL-3)
asl-3 · Frontier safety
A capability-based risk tier in Anthropic's Responsible Scaling Policy denoting models with the potential to substantially uplift CBRN attack capabilities or autonomous AI replication.
Definition & scope
ASL-3 was introduced in Anthropic's Responsible Scaling Policy (RSP) framework. Triggering ASL-3 capability requires the model to demonstrate substantial uplift in chemical, biological, radiological, or nuclear (CBRN) weapons design beyond baseline internet resources, OR show signs of autonomous self-replication. ASL-3 status mandates specific deployment safeguards including red-team evaluations, restricted API access, and incident-response protocols. Comparable tiers exist in OpenAI's Preparedness Framework (high) and DeepMind's Frontier Safety Framework (Critical Capability Levels).
Mechanism: the two-standard, if-then architecture
ASL-3 is a paired set of conditional obligations, not a single label. Anthropic's Responsible Scaling Policy couples each AI Safety Level to two independently-assessed standards: a Deployment Standard governing external misuse and a Security Standard governing theft of model weights (Anthropic RSP v2.0, 15 October 2024). The trigger is capability-based: named Capability Thresholds (for ASL-3, substantial CBRN uplift and, later, autonomous AI R&D), once a model is assessed to approach them, oblige the developer to implement Required Safeguards before further training or deployment — an "if capability, then safeguard" logic mirroring the dangerous-capability evaluations piloted on frontier models by Phuong et al. 1. This voluntary, capability-conditional structure exemplifies the developer self-governance that Anderljung et al. 2 call "an important first step" while cautioning that "government intervention will be needed" to make such commitments binding. Activation can be precautionary: Anthropic activated ASL-3 for Opus 4 while stating it "could not rule out" the threshold (Anthropic, Activating AI Safety Level 3 Protections, May 2025).
History: from RSP v1.0 to v3.x
The ASL framework originates in RSP v1.0, effective 19 September 2023, committing Anthropic not to deploy models capable of catastrophic harm absent safeguards (Anthropic RSP v1.0, 2023); the ASL-3 measures were then largely prospective. RSP v2.0 (effective 15 October 2024) restructured the policy around named Capability Thresholds and Required Safeguards and formalised the Deployment/Security split (Anthropic RSP v2.0, 2024). The first operational test came on 22 May 2025, when Anthropic activated the ASL-3 Standards alongside Claude Opus 4 (Anthropic, Activating AI Safety Level 3 Protections, May 2025). The breadth of capability that makes frontier models worth tiering is evidenced by work finding LLMs exhibit "traits of general-purpose technologies" 3; tiering the pre-trained model rather than each downstream use also cuts against the view that regulation should target "concrete high-risk applications, and not the pre-trained model itself" 4. Later revisions (v3.0, 24 February 2026; v3.1, 2 April 2026) made ASL-3 "less prescriptive and more outcome-focused" (RSP v3.0, 2026).
Relation to adjacent capability-tier concepts
ASL-3 is often conflated with three constructs that trigger differently. OpenAI's Preparedness Framework (v2, 15 April 2025) gates deployment at "High" and halts development at "Critical," so ASL-3's deployment-gating role maps to "High" (OpenAI 2025). DeepMind's Frontier Safety Framework defines Critical Capability Levels by tracing severe-harm paths 1. The sharpest contrast is the EU AI Act: Art. 51(2) presumes systemic risk once training compute exceeds 10^25 FLOP, activating Art. 55 duties — a regime mapped to generative AI by Novelli et al. 5. These categories are contested: the Act's text shifted among "AI system, general purpose AI system, foundation model, and generative AI" 6; the model strains where autonomous generation "challenges authorship, accountability, and control" 7.
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| G7 Hiroshima AI Process Code of Conduct | G7 | in force |
| UK Pro-Innovation Approach to AI Regulation (White Paper) | UK | in force |
| Anthropic Responsible Scaling Policy (RSP) v2 | US | in force |
Appears in topic articles
Editorial note
ASL-3 is a vendor-specific term; comparable but not interchangeable with EU AIA 'systemic risk' or OpenAI 'high' capability rating. Wiki articles citing ASL-3 should preserve the original-framework name when comparing across vendors.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 56 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- The Current Landscape of Deepfake Legislation in the United States Peer-reviewed✦ AIThematic analysis of 319 state deepfake bills (2019-2024) finds a fragmented patchwork concentrated on political and sexually-explicit content.
- Reimagining U.S. Tort Law for Deepfake Harms: Comparative Insights from China and Singapore Peer-reviewed✦ AIArgues fragmented US tort doctrines (defamation, publicity, IIED) are ill-suited to deepfake harms and draws remedial lessons from Chinese and Singaporean law.
- A Teleological Interpretation of the Definition of DeepFakes in the EU Artificial Intelligence Act—A Purpose-Based Approach to Potential Problems With the Word 'Existing' Peer-reviewed✦ AIWarns a narrow reading of 'existing' in the AI Act's deepfake definition could exclude synthetic media from transparency duties, urging a teleological interpretation.
- Audio deepfakes and the regulation of the landlords of creativity Peer-reviewed✦ AIArgues US, EU and Chinese regimes fail to assign audio-deepfake liability to 'landlords of creativity' (foundation-model providers) and proposes holding them accountable.
- Human detection of political speech deepfakes across transcripts, audio, and video Peer-reviewed✦ AIExperiments show "audio and visual information enables more accurate discernment than text alone" — humans rely more on how something is said than on transcript content.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- When non-consensual intimate deepfakes go viral: The insufficiency of the UK Online Safety Act Peer-reviewed✦ AIArgues the UK Online Safety Act 2023 inadequately addresses non-consensual intimate deepfakes as image-based sexual abuse, leaving enforcement and takedown gaps.
+ 44 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Mary Phuong, Matthew Aitchison, Elliot Catt, et al. (Google DeepMind) (2024) Evaluating Frontier Models for Dangerous Capabilities, arXiv (cs.LG). arXiv:2403.13793 — Pilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating. ↩
- Anderljung, Barnhart, Korinek, et al. (2023) Frontier AI Regulation: Managing Emerging Risks to Public Safety, arXiv. arXiv:2307.03718 — Argues "industry self-regulation is an important first step" but "government intervention will be needed", proposing safety standards, registration and reporting, and compliance mechanisms. ↩
- Eloundou, Manning, Mishkin, Rock (2024) GPTs are GPTs: Labor market impact potential of LLMs, Science. 10.1126/science.adj0998 — Finds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies". ↩
- Hacker, Engel & Mauer (2023) Regulating ChatGPT and other Large Generative AI Models, ACM FAccT '23. 10.1145/3593013.3594067 — Argues AI regulation "has primarily focused on conventional AI models, not LGAIMs" and should target "concrete high-risk applications, and not the pre-trained model itself". ↩
- Novelli, Casolari, Hacker, Spedicato & Floridi (2024) Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity, Computer Law & Security Review. 10.1016/j.clsr.2024.106066 — Examines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- Anthropic Responsible Scaling Policy v1.x
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/asl-3 — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The CBRN-uplift phenomenon ASL-3 is built to catch is real as a rising capability but contested as an operational catastrophic threat. Early human-uplift trials found little: a RAND red-team study found no statistically significant difference in the viability of biological-attack plans produced with versus without LLM assistance (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found 'at most a mild uplift' on biothreat-creation accuracy that the authors judged not conclusive (Patwardhan et al. 2024). Newer capability evidence cuts the other way — on the Virology Capabilities Test, OpenAI's o3 reached 43.8% versus a 22.1% expert baseline, placing it in the 94th percentile of expert virologists within their own sub-specialties (Götting et al. 2025) — and Anthropic activated ASL-3 for Claude Opus 4 (May 2025) precisely because it 'could not rule out' the CBRN capability threshold (a precautionary, provisional action, not a definitive determination). Caveat: benchmark/troubleshooting capability is rising and well-measured, but end-to-end operational uplift to real-world catastrophic harm has not been demonstrated and is genuinely contested; the tier as a coherently-defined capability category is real.
Sources: Mouton, Lucas & Guest 2024 (The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study, RAND RR-A2977-2); Patwardhan et al. 2024 (Building an Early Warning System for LLM-aided Biological Threat Creation, OpenAI); Götting et al. 2025 (Virology Capabilities Test, arXiv:2504.16137); Anthropic 2025 (Activating AI Safety Level 3 Protections / RSP)
There is no rigorous, independent impact evaluation showing that the ASL-3 tier or its safeguards measurably reduce real-world CBRN harm. ASL-3 deployment (defense-in-depth misuse filtering) and weight-security standards are now operational for Claude Opus 4 (Anthropic 2025), but the Responsible Scaling Policy is a voluntary, self-administered commitment in which the developer judges whether its own model crosses the threshold. Analysts have argued that the value of current risk-evaluation paradigms is doubtful — evaluations can flag that a capability threshold is approached, but improved understanding may not translate into actual harm prevention, including because of difficulties upholding and enforcing commitments (Mukobi 2024, 'Reasons to Doubt the Impact of AI Risk Evaluations', arXiv:2408.02565). Even METR, which introduced RSPs, cautions that 'voluntary commitments will be insufficient to adequately contain risks from AI' and that RSPs are not 'a substitute for regulation' (METR 2023). No published study establishes that the ASL-3 lever works.
Sources: Anthropic 2025 (Activating AI Safety Level 3 Protections; ASL-3 Deployment Safeguards report; RSP); Mukobi 2024 (Reasons to Doubt the Impact of AI Risk Evaluations, arXiv:2408.02565); METR 2023 (Responsible Scaling Policies, metr.org)