← All posts
Research

Benchmark-robust isn't agent-safe

A model can ace the standard refusal benchmark and still leak through its tools. Model-level safety scores and agent-level risk measure different things — and the gap between them is where real incidents live.

Model layer — refusal benchmark  ✓ robust
Single model, text output, graded on prose. “It refuses harmful requests.”
↓ the seam where the incidents live ↓
Agent layer — multi-turn, through the tools  ✕ exploitable
Your model + your tools + your data, graded on actions. “It ran the query anyway.”
Two different measurements — the model card only shows the top one

When a model lands, it arrives with safety scores. It refuses the harmful-behavior benchmarks, its refusal rate looks great, and everyone relaxes.

Then a team wraps that same model in an agent — gives it a database tool, a file reader, an email action — and the safety score stops predicting anything useful. The model that “refuses harmful requests” will happily run a query that reads a column it shouldn’t, because nobody asked it to say anything harmful. They asked it to do something, across a few turns, through a tool.

Model-level robustness and agent-level safety are not the same measurement. Confusing them is one of the most expensive mistakes in AI security right now.

What the standard benchmarks actually measure

The benchmarks the field references — the harmful-behavior refusal suites — do something specific and valuable: they check whether a model, prompted directly, will produce disallowed content. Single model, text output, graded by a classifier on that text. Did it write the thing it shouldn’t have?

That’s the right test for a base model shipping as a chat endpoint. It is not the test for an agent, and it was never meant to be. Three things it doesn’t cover:

So a model can be genuinely robust on the benchmark and genuinely exploitable as an agent. Both statements are true at once, and only one of them shows up on the model card.

The evidence that the axis is different

We benchmark on the agentic axis instead — multi-turn, tool-mediated, graded on actions. Two data points make the gap concrete.

Against a published academic adversary. On a directly comparable privacy scenario, against the same family of 32B model, Fisher reaches 80% success by turn 20. The academic method it’s measured against projects roughly 27% at turn 20, and needs on the order of a hundred turns to approach where Fisher already is. The advantage is architectural: Fisher carries a library of learned attack strategy across conversations instead of rediscovering what works from scratch each time.

Against the model’s own refusal behavior. The findings that reproduce most reliably in our corpus aren’t cases where the model said something bad. They’re cases where the model refused in fluent English and then leaked through a tool anyway — the exact failure a text-graded benchmark scores as a pass. (We wrote up one measured head-to-head where a leading multi-turn attacker reported “100% defended” while the agent was querying password tables. Same conversations, opposite verdicts, entirely because one side graded the words and the other graded the tool calls.)

Why a buyer should care

If your AI risk sign-off leans on a model’s published safety scores, you’re certifying the wrong layer. The model vendor secured the model. Nobody has tested your system — the model plus your tools, your data, your prompts, your business logic — which is where your actual exposure lives. This is the last-mile problem: the risk isn’t in the model or the tools alone, it’s in the seam where they meet.

“HarmBench-robust” is a real, useful property. It just isn’t the property you’re being asked about when a regulator or a board asks whether your agents are safe to deploy. That question is about behavior under adversarial, multi-turn, tool-using pressure — and it has to be measured directly, on the deployed system, by grading what the agent does.

That’s the measurement Fisher is built to produce.

Fisher tests the agent, not just the model — multi-turn, through the tools, graded on actions and proven to reproduce. To measure the gap on a system you actually run, book an 30-Day Agent Assurance Assessment with Molt AI.

Request an Assessment →

More from the blog