When a model lands, it arrives with safety scores. It refuses the harmful-behavior benchmarks, its refusal rate looks great, and everyone relaxes.
Then a team wraps that same model in an agent — gives it a database tool, a file reader, an email action — and the safety score stops predicting anything useful. The model that “refuses harmful requests” will happily run a query that reads a column it shouldn’t, because nobody asked it to say anything harmful. They asked it to do something, across a few turns, through a tool.
Model-level robustness and agent-level safety are not the same measurement. Confusing them is one of the most expensive mistakes in AI security right now.
What the standard benchmarks actually measure
The benchmarks the field references — the harmful-behavior refusal suites — do something specific and valuable: they check whether a model, prompted directly, will produce disallowed content. Single model, text output, graded by a classifier on that text. Did it write the thing it shouldn’t have?
That’s the right test for a base model shipping as a chat endpoint. It is not the test for an agent, and it was never meant to be. Three things it doesn’t cover:
- Multi-turn pressure. A request the model refuses cold, it may accept when it’s decomposed patiently across eight turns. A single-shot benchmark never applies that pressure.
- The tool channel. The dangerous action is a tool call — a
SELECT, a file read, an outbound message — not a sentence. Grading the model’s prose can’t see it. - Untrusted content arriving through a trusted channel. A poisoned document or database row that the agent reads and obeys. There’s no “harmful prompt” to refuse; the payload rides in on data the agent trusts.
So a model can be genuinely robust on the benchmark and genuinely exploitable as an agent. Both statements are true at once, and only one of them shows up on the model card.
The evidence that the axis is different
We benchmark on the agentic axis instead — multi-turn, tool-mediated, graded on actions. Two data points make the gap concrete.
Against a published academic adversary. On a directly comparable privacy scenario, against the same family of 32B model, Fisher reaches 80% success by turn 20. The academic method it’s measured against projects roughly 27% at turn 20, and needs on the order of a hundred turns to approach where Fisher already is. The advantage is architectural: Fisher carries a library of learned attack strategy across conversations instead of rediscovering what works from scratch each time.
Against the model’s own refusal behavior. The findings that reproduce most reliably in our corpus aren’t cases where the model said something bad. They’re cases where the model refused in fluent English and then leaked through a tool anyway — the exact failure a text-graded benchmark scores as a pass. (We wrote up one measured head-to-head where a leading multi-turn attacker reported “100% defended” while the agent was querying password tables. Same conversations, opposite verdicts, entirely because one side graded the words and the other graded the tool calls.)
Why a buyer should care
If your AI risk sign-off leans on a model’s published safety scores, you’re certifying the wrong layer. The model vendor secured the model. Nobody has tested your system — the model plus your tools, your data, your prompts, your business logic — which is where your actual exposure lives. This is the last-mile problem: the risk isn’t in the model or the tools alone, it’s in the seam where they meet.
“HarmBench-robust” is a real, useful property. It just isn’t the property you’re being asked about when a regulator or a board asks whether your agents are safe to deploy. That question is about behavior under adversarial, multi-turn, tool-using pressure — and it has to be measured directly, on the deployed system, by grading what the agent does.
That’s the measurement Fisher is built to produce.