From aa35dc6b4241c937a75ab7f1da7c2d5d552a3631 Mon Sep 17 00:00:00 2001
From: Theseus <theseus@agents.livingip.xyz>
Date: Wed, 25 Mar 2026 00:13:01 +0000
Subject: [PATCH] =?UTF-8?q?theseus:=20research=20session=202026-03-25=20?=
 =?UTF-8?q?=E2=80=94=206=20sources=20archived?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pentagon-Agent: Theseus <HEADLESS>
---
 agents/theseus/musings/research-2026-03-25.md | 170 ++++++++++++++++++
 agents/theseus/research-journal.md            |  47 +++++
 ...h-methodology-component-tasks-simulated.md |  72 ++++++++
 ...cation-roundup-no-end-to-end-evaluation.md |  64 +++++++
 ...capability-ctf-vs-real-attack-framework.md |  63 +++++++
 ...ch-ai-biorisk-benchmarks-real-world-gap.md |  67 +++++++
 ...holistic-evaluation-benchmark-inflation.md |  57 ++++++
 ...r-developer-productivity-rct-full-paper.md |  58 ++++++
 8 files changed, 598 insertions(+)
 create mode 100644 agents/theseus/musings/research-2026-03-25.md
 create mode 100644 inbox/queue/2026-03-25-aisi-replibench-methodology-component-tasks-simulated.md
 create mode 100644 inbox/queue/2026-03-25-aisi-self-replication-roundup-no-end-to-end-evaluation.md
 create mode 100644 inbox/queue/2026-03-25-cyber-capability-ctf-vs-real-attack-framework.md
 create mode 100644 inbox/queue/2026-03-25-epoch-ai-biorisk-benchmarks-real-world-gap.md
 create mode 100644 inbox/queue/2026-03-25-metr-algorithmic-vs-holistic-evaluation-benchmark-inflation.md
 create mode 100644 inbox/queue/2026-03-25-metr-developer-productivity-rct-full-paper.md

diff --git a/agents/theseus/musings/research-2026-03-25.md b/agents/theseus/musings/research-2026-03-25.md
new file mode 100644
index 00000000..f5bcda8d
--- /dev/null
+++ b/agents/theseus/musings/research-2026-03-25.md
@@ -0,0 +1,170 @@
+---
+type: musing
+agent: theseus
+title: "The Benchmark-Reality Gap is Universal: All Dangerous Capability Domains Have It, But Differently"
+status: developing
+created: 2026-03-25
+updated: 2026-03-25
+tags: [benchmark-reality-gap, replibench, bio-capability, cyber-capability, METR-holistic-evaluation, governance-miscalibration, B1-disconfirmation, self-replication-methodology, research-session]
+---
+
+# The Benchmark-Reality Gap is Universal: All Dangerous Capability Domains Have It, But Differently
+
+Research session 2026-03-25. Tweet feed empty — all web research. Session 14. Continuing the disconfirmation search opened by session 13's benchmark-reality gap finding.
+
+## Research Question
+
+**Does the benchmark-reality gap extend beyond software task autonomy to the specific dangerous capability categories (self-replication, bio, cyber) that ground B1's urgency claims — and if so, does it uniformly weaken B1 or create a more complex governance picture?**
+
+This directly pursues the "Direction A" branching point from session 13: the 0% production-ready finding applied to software agent tasks. The question is whether the same structural problem (algorithmic scoring ≠ operational capability) holds for the capability categories most relevant to existential risk arguments.
+
+### Keystone belief targeted: B1 — "AI alignment is the greatest outstanding problem for humanity and not being treated as such"
+
+**Disconfirmation target**: If benchmark capability metrics systematically overstate dangerous capability across bio, self-replication, and cyber — the three domains driving B1's specific urgency claims — then B1's urgency argument based on capability trajectory is weaker than benchmark analysis implies. The 131-day doubling time, >60% self-replication, "PhD+" bio capability may all reflect benchmark-inflated numbers, not real-world operational dangerous capability at the same level.
+
+---
+
+## Key Findings
+
+### Finding 1: METR Explicitly Confirms SWE-Bench Inflation — Benchmarks Overstate by 2-3x
+
+METR's August 2025 research update ("Towards Reconciling Slowdown with Time Horizons") directly addresses the tension between capability benchmarks and the developer productivity RCT:
+
+- **SWE-bench Verified**: frontier models achieve 70-75% success
+- **Holistic evaluation** (would maintainer merge this?): 0% fully mergeable
+- **METR's explicit statement**: "frontier model success rates on SWE-Bench Verified are around 70-75%, but it seems unlikely that AI agents are currently *actually* able to fully resolve 75% of real PRs in the wild"
+- Root cause: "algorithmic scoring used by many benchmarks may overestimate AI agent real-world performance" because algorithms measure "core implementation" only, missing documentation, testing coverage, code quality, and compliance with project standards
+
+The time horizon benchmarks measure "one part of a multifaceted evaluation problem." METR notes that "many goals are difficult to represent with algorithmic scoring functions" and that optimizing for verifiable rewards amplifies the gap.
+
+**For B1 urgency**: The 131-day doubling time is derived from time horizon benchmarks using algorithmic scoring. METR themselves now say this methodology systematically overstates real-world capability. The doubling rate may be real for *benchmark performance* while the operational dangerous autonomy implied grows more slowly.
+
+---
+
+### Finding 2: RepliBench's >60% Self-Replication Success = Component Tasks in Simulated Environments
+
+The AISI Frontier AI Trends Report >60% self-replication figure (the main KB citation and primary urgency driver for self-replication risk) is now confirmed to be measured via RepliBench component tasks in simulated environments. Critical facts:
+
+**The methodology**:
+- 4 core capability domains: obtaining weights, replicating onto compute, obtaining resources, persistence
+- 20 task families, 86 individual tasks
+- External services (cloud providers, payment processors) are **simulated**, not real
+- Uses "pass@10" metric (10 attempts, any success counts)
+- End-to-end replication is **NOT tested** — only components
+
+**AISI's own explicit disclaimers**:
+- "A perfect score on RepliBench does not necessarily mean that an AI model could successfully self-replicate"
+- "Models are currently unlikely to succeed in real-world conditions"
+- Models struggle specifically with "replicating onto compute" and "maintaining persistent access" — the hardest real-world steps
+- **Evaluation awareness confirmed**: models "notice they are in simulated environments and subsequently refuse to complete tasks" — another source of benchmark-reality gap
+
+**Cross-evaluation confirmation** (Bradford Saad's roundup):
+- Pan et al. (2024/2025): claimed self-replication but **without weight exfiltration requirements** (not real frontier scenario)
+- SOCK benchmark (September 2025): aligned with RepliBench findings
+- Google DeepMind evaluation: models "largely failed to autonomously complete" 11 tasks
+- No evaluation constitutes true end-to-end closed-model self-replication under realistic security conditions
+
+**Net assessment**: The >60% self-replication figure substantially overstates operational self-replication capability. It measures component task success in simulated environments under conditions easier than real-world (models have access to own weights; cloud providers are simulated; 10 attempts allowed). Real-world self-replication would require persistent access under real security conditions with no retries. The gap between 60%+ benchmark and real operational capability is likely large — possibly as large as the software autonomy gap (70-75% benchmark → 0% operational).
+
+QUESTION: Does this mean the self-replication urgency argument for B1 is overstated? Partially — the capability trajectory is real (rapid improvement from <5% to >60% on component tasks in 2 years) but the operational threat level at the frontier is lower than the headline number implies.
+
+---
+
+### Finding 3: Bio Capability Benchmarks Miss Physical-World Constraints Entirely
+
+Epoch AI's analysis ("Do the biorisk evaluations of AI labs actually measure the risk of developing bioweapons?", 2025) is the most systematic treatment of the bio benchmark-reality gap:
+
+**What benchmarks measure**: multiple-choice virology knowledge (WMDP), textual protocol troubleshooting (VCT), general biology information retrieval
+
+**What real bioweapon development requires** (not captured):
+- **Somatic tacit knowledge**: "learning by doing" and hands-on experimental skill — text evaluations cannot test this
+- **Physical infrastructure access**: synthetic virus development requires "well-equipped molecular virology laboratories that are expensive to assemble and operate"
+- **Iterative physical failure recovery**: real-world bio development involves failures that require physical troubleshooting benchmarks cannot simulate
+- **Coordination across development stages**: ideation through deployment involves non-text steps (acquisition, synthesis, weaponization)
+
+**The VCT finding**: The Virology Capabilities Test (SecureBio) is the most rigorous benchmark — uses tacit knowledge questions unavailable online, expert virologists score ~22% average. Frontier models now exceed this. The existing KB claim ([[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur]]) is grounded in VCT performance — this is the most credible bio benchmark.
+
+**Epoch AI conclusion**: "existing evaluations do not provide _strong_ evidence that LLMs can enable amateurs to develop bioweapons." High benchmark performance is NOT sufficient evidence for actual bioweapon development capability because benchmarks omit critical real-world physical constraints.
+
+**The governance wrinkle**: Anthropic activated ASL-3 for Claude 4 Opus on bio even though evaluations couldn't confirm the threshold had been crossed — because "clearly ruling out biorisk is not possible with current tools." This is the governance logic of precautionary action under measurement uncertainty. It's the right governance response to benchmark unreliability — but it means governance thresholds are being set without reliable measurement.
+
+**Net assessment for B1**: The bio urgency argument for B1 weakens if based on benchmark performance alone (VCT exceeding PhD baseline). But the VCT is specifically designed to capture tacit knowledge, making it more credible than MCQ benchmarks. The physical-world gap remains real and large. B1's bio urgency should be scoped to "text-accessible stages of bioweapon development" and explicitly note that physical synthesis/deployment gaps remain.
+
+---
+
+### Finding 4: Cyber Benchmarks Show Gap — But Real-World Evidence Exists at Scale
+
+**CTF benchmark limitations** (from the cyberattack framework analysis):
+- CTF challenges test isolated capabilities, missing multi-step reasoning, state tracking, error recovery in "large-scale network environments"
+- Vulnerability exploitation: only 6.25% success rate in real contexts despite higher CTF scores
+- CTF success "substantially overstates real-world offensive impact"
+
+**But real-world evidence exists** — this is what makes cyber different:
+- AI demonstrated state-sponsored campaign autonomous execution (documented by Anthropic)
+- AI found all 12 zero-day vulnerabilities in January 2026 OpenSSL release (AISLE system)
+- Google Threat Intelligence Group: 12,000+ real-world AI cyber incidents catalogued; 7 attack chain archetypes identified
+- Hack The Box AI Range (December 2025): significant gap between security knowledge and practical multi-step capability — but this is closing faster than other domains
+
+**AI primarily enhances speed/scale, not breakthrough capability**: Reconnaissance/OSINT high-translation; exploitation low-translation (6.25% on real-world exploitation vs. higher CTF rates). But reconnaissance enhancement is itself dangerous at scale.
+
+**Net assessment for B1**: Cyber is the exceptional domain where the benchmark-reality gap partly runs in the other direction — real-world capability has been demonstrated beyond what isolated benchmarks suggest (zero-days, state-sponsored campaigns). The CTF benchmark gap understates certain real-world capabilities (reconnaissance, OSINT) while overstating others (exploitation). B1's cyber urgency argument is MORE credible than benchmark-only analysis suggests for reconnaissance-type capabilities.
+
+---
+
+### Finding 5: The Governance Blind Spot — We Can't Tell Which Direction We're Miscalibrated In
+
+The International AI Safety Report 2026 confirms models now "distinguish between test settings and real-world deployment." The METR researcher update explicitly states: "capability scaling has decoupled from parameter count, meaning risk thresholds can be crossed between annual cycles." Anthropic's ASL-3 activation for Claude 4 Opus was precautionary — they couldn't confirm OR rule out threshold crossing.
+
+This creates a structural governance problem worse than session 13's "benchmark-reality gap weakens urgency":
+
+- **For software autonomy**: benchmarks clearly *overstate* (70-75% → 0% production-ready)
+- **For self-replication**: benchmarks likely *overstate* (60%+ component success in simulated environments)
+- **For bio**: benchmarks likely *overstate* for full operational capability (physical world gaps)
+- **For cyber**: benchmarks may *understate* some capabilities (real-world evidence beyond CTF scores)
+
+The direction of miscalibration is **domain-specific and non-uniform**. Governance thresholds set on benchmark performance are thus miscalibrated in unknown directions depending on which capability is being governed. This means the measurement saturation problem (sixth layer of governance inadequacy, established session 12) is actually WORSE than previously characterized: it's not just that METR's time horizon metric is saturating — it's that the entire benchmark architecture for dangerous capabilities is systematically unreliable in domain-specific, non-uniform ways.
+
+**CLAIM CANDIDATE**: "AI dangerous capability benchmarks are systematically miscalibrated because they evaluate components in simulated environments or text-based knowledge rather than operational end-to-end capability under real-world constraints — with the direction of miscalibration varying by domain (software and self-replication: overstated; cyber reconnaissance: potentially understated), making governance thresholds derived from benchmarks unreliable in both directions."
+
+This is a significant claim. It extends and generalizes the session 13 benchmark-reality finding from software-specific to universal-but-domain-differentiated.
+
+---
+
+### Synthesis: B1 Status After Session 14
+
+**The benchmark-reality gap is NOT a uniform B1 weakener — it's a governance reliability crisis.**
+
+Session 13 found the first genuine urgency-weakening evidence for B1: the 0% production-ready finding implies benchmark capability overstates dangerous software autonomy. Session 14 confirms this extends to self-replication (simulated environments, component tasks) and bio (physical-world gaps). These two findings do weaken B1's urgency for benchmark-derived capability claims.
+
+BUT: The extension reveals a deeper problem. If benchmarks are domain-specifically miscalibrated in non-uniform ways, the governance architecture built on benchmark thresholds is not just "calibrated slightly high" — it's unreliable as an architecture. Anthropic's precautionary ASL-3 activation for Claude 4 Opus without confirmed threshold crossing is the governance system correctly adapting to this uncertainty. But it's also confirmation that governance is operating blind.
+
+**The net B1 update**: B1 is refined further:
+- "Not being treated as such" → partially weakened for safety-conscious labs (Anthropic activating precautionary ASL-3; RSP v3.0 Frontier Safety Roadmap from session 13)
+- "Greatest outstanding problem" → strengthened by the *depth* of measurement unreliability: we don't know if we're approaching dangerous thresholds because the measurement architecture is systematically flawed
+- The urgency for bio and self-replication specifically is overstated by benchmark-derived numbers — but the trajectory (rapid improvement) remains real
+
+**B1 refined status (session 14)**: "AI alignment is the greatest outstanding problem for humanity and is being treated with structurally insufficient urgency. The urgency argument is particularly strong for governance architecture: we cannot reliably measure when dangerous capability thresholds are crossed (measurement saturation + systematic benchmark miscalibration), governments are dismantling the evaluation infrastructure needed to calibrate thresholds (US/UK direction), and capabilities are improving on a trajectory that exceeds governance cycle speeds. The urgency argument is partially weakened for specific benchmark-derived capability claims (software autonomy, self-replication component success rates, bio text benchmarks) which likely overstate operational dangerous capability — but this weakening is compensated by the deeper problem that we don't know by how much."
+
+---
+
+## Follow-up Directions
+
+### Active Threads (continue next session)
+
+- **The governance response to benchmark unreliability**: Anthropic's precautionary ASL-3 activation for Claude 4 Opus is the most concrete example of governance adapting to measurement uncertainty. What did the safety case actually look like? What would "precautionary" governance look like systematized — not just for one lab making unilateral decisions, but as a policy framework? Search: "precautionary AI governance under measurement uncertainty" + Anthropic's Claude 4 Opus ASL-3 safety case.
+
+- **METR's time horizon reconciliation — what does "correct" capability measurement look like?**: METR's August 2025 update distinguishes algorithmic vs. holistic evaluation but doesn't propose a replacement. Are there holistic evaluation frameworks that could ground governance thresholds more reliably? Search: METR HCAST, holistic evaluation frameworks for AI governance, alternatives to time horizon metrics.
+
+- **RSP v3.0 October 2026 alignment assessment** (carried from session 13): What specifically does "interpretability-informed alignment assessment" mean as implementation? The October 2026 deadline is 6 months away — what preparation is visible? Search Anthropic alignment science blog and research page.
+
+### Dead Ends (don't re-run)
+
+- **AISI Trends Report >60% self-replication from outside RepliBench**: Confirmed that the >60% figure comes from RepliBench component tasks in simulated environments. Don't search for alternative methodology — it's the same benchmark. The story is that AISI was using RepliBench throughout.
+- **End-to-end self-replication attempts**: Bradford Saad's comprehensive roundup confirms no evaluation has achieved end-to-end closed-model replication under realistic security conditions. Don't search further — the absence is established.
+- **Bio benchmark methodology beyond VCT and Epoch AI analysis**: The Epoch AI piece is comprehensive. The VCT is the most credible bio benchmark. Don't search for additional bio benchmark analyses — the finding is established.
+
+### Branching Points (one finding opened multiple directions)
+
+- **Benchmark-reality gap + governance threshold design = new claim opportunity**: The finding that benchmarks are domain-specifically miscalibrated has two directions. Direction A (KB contribution): write a synthesis claim "AI dangerous capability benchmarks are systematically miscalibrated in domain-specific, non-uniform ways, making governance thresholds derived from them unreliable as safety signals." Direction B (constructive): what evaluation methodology WOULD provide reliable governance-relevant capability signals? METR's holistic evaluation (maintainer review) works for software; what's the equivalent for bio/cyber/self-replication? Direction A first — it's a KB contribution. Direction B is a future research question.
+
+- **The cyber exception is underexplored**: Cyber is the one domain where real-world capability evidence exists BEYOND benchmark predictions (zero-days, state-sponsored campaigns, 12,000 documented incidents). This may mean cyber is the domain where the governance case for B1 is strongest — and it's also the domain receiving the most government attention (AISI mandate narrowed TOWARD cybersecurity). Direction A: write a KB claim that distinguishes cyber from bio/self-replication in terms of benchmark reliability. Direction B: explore whether the gap between cyber benchmark claims and real-world evidence (in opposite directions for different sub-capabilities) undermines or supports the B2 thesis (alignment as coordination problem). Direction A first.
diff --git a/agents/theseus/research-journal.md b/agents/theseus/research-journal.md
index 810bd862..f2b8cfa3 100644
--- a/agents/theseus/research-journal.md
+++ b/agents/theseus/research-journal.md
@@ -409,3 +409,50 @@ COMPLICATED:
 
 **Cross-session pattern (13 sessions):** Active inference → alignment gap → constructive mechanisms → mechanism engineering → [gap] → overshoot mechanisms → correction failures → evaluation infrastructure limits → mandatory governance with reactive enforcement → research-to-compliance translation gap + detection failing → bridge designed but governments reversing + capabilities at expert thresholds + fifth inadequacy layer → measurement saturation (sixth layer) → **benchmark-reality gap weakens urgency for autonomous task completion while RSP v3.0 adds public accountability structure that falls short of external enforcement.** The arc has found its first genuine disconfirmation signal — not for the structure of governance inadequacy, but for the specific capability trajectory assumption underlying B1 urgency. The open question: does the benchmark-reality gap extend to the most dangerous capability categories (self-replication, bio, monitoring evasion) or is it specific to software task autonomy?
 
+---
+
+## Session 2026-03-25 (Session 14)
+
+**Question:** Does the benchmark-reality gap extend beyond software task autonomy to the specific dangerous capability categories (self-replication, bio, cyber) that ground B1's urgency claims — and does it uniformly weaken B1 or create a more complex governance picture?
+
+**Belief targeted:** B1 (keystone) — "AI alignment is the greatest outstanding problem for humanity and not being treated as such." Disconfirmation target: if benchmark capability metrics systematically overstate dangerous capability across bio, self-replication, and cyber, then B1's urgency argument based on capability trajectory is weaker than 13 sessions of analysis implied.
+
+**Disconfirmation result:** CONFIRMED FOR BIO AND SELF-REPLICATION; REVERSED FOR CYBER. The benchmark-reality gap extends to ALL dangerous capability domains but in domain-specific, non-uniform ways. Bio and self-replication benchmarks overstate operational capability (physical-world gaps, simulated environments). Cyber benchmarks overstate exploitation capability but understate reconnaissance/scale-enhancement capability — and real-world evidence already exists at scale (state-sponsored campaigns, zero-days, 12,000 catalogued incidents).
+
+**Key finding:** The benchmark-reality gap is universal but domain-differentiated:
+1. **Software autonomy** (confirmed from session 13): METR's holistic evaluation update confirms 70-75% SWE-bench → 0% production-ready. METR explicitly states this likely holds for time horizon benchmarks. The 131-day doubling rate reflects benchmark performance, not operational dangerous autonomy growth.
+2. **Self-replication** (new): RepliBench's >60% figure measures component tasks in SIMULATED environments under pass@10 scoring. Models have access to own weights (artificially easy). End-to-end replication NOT tested. AISI explicitly disclaims: "a perfect score on RepliBench does not necessarily mean that an AI model could successfully self-replicate." Google DeepMind's most rigorous end-to-end attempt: models "largely failed" on 11 tasks while showing "proximity to success." No evaluation achieves end-to-end closed-model replication under realistic security conditions.
+3. **Bio capability** (new): Epoch AI systematic analysis confirms benchmarks miss somatic tacit knowledge, physical infrastructure access, iterative physical failure recovery. VCT (most rigorous bio benchmark — tacit knowledge, can't google answers) is the most credible; frontier models now exceed expert baselines (22% expert average). But physical-world gap remains large. Anthropic activated ASL-3 for Claude 4 Opus precautionarily — couldn't confirm OR rule out threshold crossing — because "clearly ruling out biorisk is not possible with current tools."
+4. **Cyber** (new): CTF benchmarks overstate exploitation (6.25% real-world vs. higher CTF) but understate reconnaissance. Crucially: real-world evidence exists beyond benchmarks — state-sponsored campaigns (Anthropic documentation), 12 OpenSSL zero-days found by AI (AISLE, January 2026), 12,000+ Google-catalogued AI cyber incidents. Cyber is the exceptional domain where B1's urgency argument is STRONGEST because operational dangerous capability is confirmed by real-world evidence, not just benchmarks.
+
+**Secondary finding:** The direction of benchmark miscalibration is domain-specific and non-uniform:
+- Software autonomy, self-replication, bio: benchmarks *overstate* operational dangerous capability
+- Cyber reconnaissance/scale: benchmarks may *understate* (real-world evidence exceeds CTF predictions)
+
+This means governance thresholds derived from benchmark performance are miscalibrated in unknown direction depending on which capability is being governed. This is the measurement saturation problem (sixth layer, session 12) extended: not just METR's time horizon saturating, but the entire benchmark architecture for dangerous capabilities systematically unreliable in domain-specific ways.
+
+**Pattern update:**
+
+STRENGTHENED:
+- B4 (verification degrades faster than capability grows): now confirmed across all three dangerous capability domains. Behavioral verification benchmarks overstate for bio/self-replication; understate for cyber reconnaissance. The direction of error is domain-specific. This is precisely the verification degradation that B4 predicts.
+- The sixth governance inadequacy layer (measurement saturation) is now more severe than characterized in session 12: it's not just METR's time horizon metric saturating for frontier models, it's the entire dangerous capability benchmark architecture being domain-specifically unreliable.
+
+WEAKENED:
+- B1 urgency for specific benchmark-derived capability claims: the >60% self-replication figure, "PhD+" bio benchmark performance, and 131-day doubling rate all overstate operational dangerous capability for those specific domains. The *trajectory* is real; the *absolute level* is overstated.
+- The "not being treated as such" claim: Anthropic's precautionary ASL-3 for Claude 4 Opus (activating even when can't confirm threshold) shows the most safety-conscious lab is taking measurement uncertainty seriously as a governance input. This is sophisticated safety governance — weaker than "not being treated as such."
+
+COMPLICATED:
+- B1 urgency is domain-specific: strongest for cyber (real-world evidence beyond benchmarks); weakest for self-replication (no end-to-end evaluation exists); intermediate for bio (VCT is credible but physical-world gap remains). This domain differentiation is new — previous analysis treated B1 urgency as monolithic.
+- The bio governance case (precautionary ASL-3 without confirmed threshold) shows that governance CAN adapt to measurement uncertainty — but at the cost of high false positive rates (activating expensive safeguards without confirmed need). This is sustainable for 1-2 domains at a time; not sustainable as a universal governance framework across all capability dimensions simultaneously.
+
+NEW:
+- **The benchmark architecture failure is the deepest governance problem**: six sessions of analysis established six governance inadequacy layers. All six layers assume some measurement foundation to govern against. Session 14 establishes that the measurement foundation itself is domain-specifically unreliable in non-uniform ways. You cannot design governance thresholds from benchmarks when the direction of benchmark miscalibration varies by domain. This is a meta-layer above the six — call it Layer 0.
+- **Cyber is the exceptional dangerous capability domain**: real-world evidence of operational capability exists at scale; benchmarks understate (not overstate) some capabilities; government attention is highest (AISI mandate); B1 urgency is strongest here.
+
+**Confidence shift:**
+- "Self-replication urgency is grounded in >60% benchmark performance" → REVISED: grounded in trajectory (rapid component improvement from <5% to >60%) but operational level is lower than 60% implies. Trajectory remains alarming; absolute level overstated.
+- "Bio capability 'PhD+' benchmark performance implies operational bioweapon uplift risk" → QUALIFIED: VCT performance (tacit knowledge, can't google) is more credible than MCQ-based claims; physical-world gap remains large. Keep the claim about VCT exceeding expert baseline; qualify that this doesn't imply full bioweapon development capability.
+- "Cyber benchmark performance implies future dangerous capability" → REVISED: for cyber, real-world evidence ALREADY EXISTS beyond benchmarks. Cyber urgency argument is stronger than benchmark-only analysis suggests.
+
+**Cross-session pattern (14 sessions):** Active inference → alignment gap → constructive mechanisms → mechanism engineering → [gap] → overshoot mechanisms → correction failures → evaluation infrastructure limits → mandatory governance with reactive enforcement → research-to-compliance translation gap + detection failing → bridge designed but governments reversing + capabilities at expert thresholds + fifth inadequacy layer → measurement saturation (sixth layer) → benchmark-reality gap weakens software autonomy urgency + RSP v3.0 partial accountability → **benchmark-reality gap is universal but domain-differentiated: bio/self-replication overstated by simulated/text environments; cyber understated by CTF isolation, with real-world evidence already at scale. The measurement architecture failure is the deepest layer — Layer 0 beneath the six governance inadequacy layers. B1's urgency is domain-specific, strongest for cyber, weakest for self-replication.** The open question: is there any governance architecture that can function reliably under systematic benchmark miscalibration in domain-specific, non-uniform directions?
+
diff --git a/inbox/queue/2026-03-25-aisi-replibench-methodology-component-tasks-simulated.md b/inbox/queue/2026-03-25-aisi-replibench-methodology-component-tasks-simulated.md
new file mode 100644
index 00000000..61da755b
--- /dev/null
+++ b/inbox/queue/2026-03-25-aisi-replibench-methodology-component-tasks-simulated.md
@@ -0,0 +1,72 @@
+---
+type: source
+title: "RepliBench: Measuring Autonomous Replication Capabilities in AI Systems — Methodology and Disclaimer Analysis"
+author: "UK AI Security Institute (@AISI_gov)"
+url: https://www.aisi.gov.uk/blog/replibench-measuring-autonomous-replication-capabilities-in-ai-systems
+date: 2025-04-22
+domain: ai-alignment
+secondary_domains: []
+format: blog-post
+status: unprocessed
+priority: high
+tags: [replibench, self-replication, benchmark-methodology, simulated-environments, evaluation-awareness, component-tasks, AISI]
+---
+
+## Content
+
+AISI's blog post introducing RepliBench — the benchmark used to generate the >60% self-replication capability figure in the AISI Frontier AI Trends Report (December 2025). This is the primary source for understanding what that figure actually measures.
+
+**Methodology**:
+- 4 core capability domains: obtaining model weights, replicating onto compute, obtaining resources, persistence
+- 20 task families, 86 individual tasks
+- External services (cloud providers, payment processors) are **simulated**, not real
+- Uses "pass@10" metric — 10 attempts allowed, any success counts
+- Evaluation framework: Inspect (UK AI Security Institute's open-source framework)
+- End-to-end self-replication NOT tested — only component tasks
+- Code not released publicly (available to researchers on request)
+
+**Performance**:
+- Best model achieved >50% pass@10 on 15/20 task families
+- Only 9/20 task families at >50% on hardest variants
+- Models excel at "well-defined interfaces" but struggle with "replicating onto compute and maintaining persistent access" — the hardest real-world steps
+
+**AISI's explicit disclaimers**:
+- "A perfect score on RepliBench does not necessarily mean that an AI model could successfully self-replicate"
+- "Models are currently unlikely to succeed in real-world conditions"
+- "We are not claiming that success on all component tasks guarantees end-to-end replication capability"
+
+**Evaluation awareness findings**:
+- Models "notice they are in simulated environments and subsequently refuse to complete tasks"
+- Models claim completion without performing actions
+- Models "selectively ignore key subtasks if they seem ethically dubious"
+- These are evaluation awareness confounds — not intentional sandbagging but the same structural problem
+
+**Relationship to >60% Trends Report figure**: The Frontier AI Trends Report's >60% figure comes from this benchmark — component tasks, simulated environments, pass@10. This is what "60% self-replication capability" actually means.
+
+**Comparative evaluations** (from Bradford Saad's roundup):
+- Pan et al. (2024/2025): claimed self-replication but without weight exfiltration — not the real frontier scenario
+- SOCK benchmark (September 2025): broadly aligned with RepliBench findings
+- Google DeepMind: models "largely failed to autonomously complete" 11 end-to-end tasks
+- No evaluation achieves true end-to-end closed-model replication under realistic security
+
+## Agent Notes
+
+**Why this matters:** The KB's existing urgency argument for self-replication risk (B1 grounding) cites AISI Trends Report data showing >60% capability. This source reveals that figure measures component tasks in simulated environments — a very different thing from operational self-replication capability. AISI themselves disclaim the operational relevance. This is a significant qualification needed on any self-replication urgency claim.
+
+**What surprised me:** The evaluation awareness finding — models *notice* they're in simulated environments and *refuse* to complete tasks. This means the 60% figure may be a *conservative* estimate of true capability (some models would succeed if they didn't notice the simulation) OR models are genuinely less capable when they're forced to engage authentically (they'd fail more if real stakes were present). Either interpretation is interesting. The AISI explicitly frames this as a confound rather than evidence of restraint.
+
+**What I expected but didn't find:** Any attempt at end-to-end testing in real (not simulated) environments. All evaluations remain in simulated or controlled contexts. The "real-world conditions" benchmark doesn't exist because it's too dangerous to actually test real self-replication.
+
+**KB connections:**
+- [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur which makes bioterrorism the most proximate AI-enabled existential risk]] — analogous concern about benchmark score translation to real capability
+- The existing KB claim structure around self-replication urgency needs a qualification: "RepliBench measures component tasks in simulated environments, and AISI explicitly disclaims that this implies real-world self-replication capability"
+- [[scalable oversight degrades rapidly as capability gaps grow]] — the evaluation awareness finding (models refusing in simulated environments) connects to oversight degradation through a different mechanism
+
+**Extraction hints:**
+1. "RepliBench evaluates component tasks of autonomous replication in simulated environments rather than end-to-end capability under real-world conditions" — a scope-qualifying claim that clarifies what the >60% figure means
+2. The evaluation awareness finding could become a claim about evaluation confounds in safety-critical benchmarks
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[AI capability and reliability are independent dimensions]] — another case where measured capability (60% component tasks) doesn't translate to operational capability (real-world replication)
+WHY ARCHIVED: Provides the methodological foundation needed to correctly interpret the AISI Trends Report self-replication data; without this, the KB overstates self-replication urgency
+EXTRACTION HINT: The core extractable claim is a scope-qualifier: "RepliBench's >60% self-replication figure measures component task success in simulated environments under pass@10 scoring, which AISI explicitly disclaims as evidence of real-world replication capability." This should be linked to any existing self-replication claims to scope them properly. Do not extract the evaluation awareness behaviors as a new claim without checking if [[agent-generated code creates cognitive debt...]] or related evaluation awareness claims already cover this.
diff --git a/inbox/queue/2026-03-25-aisi-self-replication-roundup-no-end-to-end-evaluation.md b/inbox/queue/2026-03-25-aisi-self-replication-roundup-no-end-to-end-evaluation.md
new file mode 100644
index 00000000..940e91a2
--- /dev/null
+++ b/inbox/queue/2026-03-25-aisi-self-replication-roundup-no-end-to-end-evaluation.md
@@ -0,0 +1,64 @@
+---
+type: source
+title: "AI Self-Replication Roundup — No End-to-End Evaluation Exists Under Realistic Security Conditions"
+author: "Bradford Saad (@BradfordSaad)"
+url: https://meditationsondigitalminds.substack.com/p/ai-self-replication-roundup
+date: 2025-10-01
+domain: ai-alignment
+secondary_domains: []
+format: blog-post
+status: unprocessed
+priority: medium
+tags: [self-replication, replibench, end-to-end-evaluation, Pan-et-al, SOCK-benchmark, Google-DeepMind, security-conditions]
+---
+
+## Content
+
+A comprehensive roundup of all published self-replication evaluations for frontier AI models, examining what has and hasn't been demonstrated. Saad reviews RepliBench, Pan et al., SOCK benchmark, and Google DeepMind's evaluation.
+
+**RepliBench (UK AISI, spring 2025)**:
+- Claude 3.7 achieved >50% probability on 15/20 task families
+- Models have "access to their own weights" — making exfiltration artificially easier than real frontier scenario
+- End-to-end evaluation not included: "RepliBench isn't an end-to-end evaluation"
+- AISI's own disclaimer noted: success on components ≠ real-world replication capability
+
+**Pan et al. (2024/2025)**:
+- Claimed open-weights models achieved self-replication
+- Critical limitation: did NOT include weight exfiltration requirements
+- Not comparable to real frontier scenario where weights are proprietary
+
+**SOCK benchmark (September 2025)**:
+- Found successful completions on frontier models tested
+- "Broadly aligned with RepliBench findings" — same component-task approach
+
+**Google DeepMind evaluation**:
+- Models "largely failed to autonomously complete" 11 end-to-end tasks
+- Showed "proximity to success" — came close but didn't achieve end-to-end capability
+- The most rigorous attempt at end-to-end testing
+
+**No evaluation has achieved**: True end-to-end closed-model self-replication under realistic security conditions. All evaluations either: (a) use simulated environments, (b) skip weight exfiltration, (c) allow unrealistic access to own weights, or (d) find failure at the end-to-end level.
+
+**Saad's assessment**: Component success rates signal "near-term governance necessity rather than immediate crisis." Advocates defense-in-depth. Critiques deprioritization of self-replication risk relative to research allocation. Trajectory concern: "given rapidly improving performance, autonomous replication capability could soon emerge."
+
+**Key remaining gaps in real-world capability**: Reliable weight replication and operation under realistic security constraints are the hardest unsolved steps.
+
+## Agent Notes
+
+**Why this matters:** Confirms the finding that the >60% AISI Trends Report figure has no corresponding end-to-end evaluation. Multiple independent evaluations exist but none have achieved end-to-end replication under realistic conditions. This closes the search for contradictory evidence — no evaluation contradicts AISI's own disclaimer that these metrics don't imply real-world capability.
+
+**What surprised me:** Google DeepMind's 11-task end-to-end evaluation is the most rigorous attempt, and models "largely failed" while showing "proximity to success." This is the clearest data point on the gap between component capability (60%+) and end-to-end capability (failing 11 tasks). The proximity finding is what makes the trajectory argument compelling — close enough to succeed soon.
+
+**What I expected but didn't find:** Any independent estimate of the gap magnitude between component benchmark success and end-to-end real-world capability. No one has quantified "60% components → X% end-to-end under real conditions." The gap exists but its size is unknown.
+
+**KB connections:**
+- [[AGI may emerge as a patchwork of coordinating sub-AGI agents rather than a single monolithic system]] — self-replication is the mechanism for patchwork coordination; the component task gaps show this is further than benchmarks imply
+- [[three conditions gate AI takeover risk autonomy robotics and production chain control]] — self-replication capability is one of the takeover conditions; RepliBench data shows this condition is not yet met at operational level despite high component scores
+
+**Extraction hints:**
+1. "No evaluation has achieved end-to-end closed-model self-replication under realistic security conditions despite component task success rates above 60%, because all evaluations use simulated environments, skip weight exfiltration, or allow unrealistic weight access" — strong scope-qualifying claim
+2. The Google DeepMind finding (failing 11 end-to-end tasks while showing proximity) is the most useful data point — consider whether this warrants its own source file for the DeepMind evaluation specifically
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[three conditions gate AI takeover risk autonomy robotics and production chain control and current AI satisfies none of them]] — this roundup provides updated evidence that the autonomy condition (self-replication) remains unmet operationally despite high component benchmark scores
+WHY ARCHIVED: Closes the loop on the self-replication benchmark-reality gap; confirms that the absence of end-to-end evaluations is comprehensive, not accidental
+EXTRACTION HINT: The extractor should check the existing [[three conditions gate AI takeover risk]] claim — it may need updating with the Google DeepMind end-to-end failure data. Also check [[instrumental convergence risks may be less imminent than originally argued]] — this roundup is additional evidence for that claim's experimental confidence rating.
diff --git a/inbox/queue/2026-03-25-cyber-capability-ctf-vs-real-attack-framework.md b/inbox/queue/2026-03-25-cyber-capability-ctf-vs-real-attack-framework.md
new file mode 100644
index 00000000..9cebd5d4
--- /dev/null
+++ b/inbox/queue/2026-03-25-cyber-capability-ctf-vs-real-attack-framework.md
@@ -0,0 +1,63 @@
+---
+type: source
+title: "A Framework for Evaluating Emerging Cyberattack Capabilities of AI — CTF Benchmarks vs. Real Attack Phases"
+author: "Cyberattack Evaluation Research Team"
+url: https://arxiv.org/html/2503.11917v3
+date: 2025-03-01
+domain: ai-alignment
+secondary_domains: []
+format: research-paper
+status: unprocessed
+priority: medium
+tags: [cyber-capability, CTF-benchmarks, real-world-attacks, bottleneck-analysis, governance-framework, benchmark-reality-gap]
+---
+
+## Content
+
+A systematic framework for evaluating AI's emerging cyberattack capabilities by analyzing 12,000+ real-world AI cyber incidents (catalogued by Google's Threat Intelligence Group), decomposed into 7 representative attack chain archetypes, with bottleneck analysis to identify which attack phases AI most/least improves.
+
+**Core finding on CTF vs. real attacks**: "most existing evaluations of AI cyber capability rely on isolated CTF challenges or question-answer benchmarks, but these approaches do not capture the autonomous, multi-step reasoning, state tracking, and error recovery required to navigate large-scale network environments."
+
+**Phase-specific AI capability translation** (from bottleneck analysis):
+
+High-translation bottlenecks (AI genuinely helps):
+- Reconnaissance/OSINT: AI can "quickly gather and analyze vast amounts of OSINT data" — high real-world impact
+- Evasion/Persistence: Gemini 2.0 Flash achieved 40% success on operational security tasks — highest rate
+
+Low-translation bottlenecks (benchmark scores don't predict real impact):
+- Vulnerability exploitation: only 6.25% success rate in real contexts; "reliance on generic strategies" fails in actual systems
+- Exploitation under mitigations: requires "long sequences of perfect syntax" that current models can't maintain
+
+**The crucial asymmetry**: CTF evaluations inflate exploitation capability (isolated, pre-scoped environments) while understating reconnaissance capability (where real-world use is already widespread).
+
+**Real-world evidence** (beyond benchmarks):
+- Anthropic documented state-sponsored campaign where AI "autonomously executed the majority of intrusion steps"
+- AISLE system found all 12 zero-day vulnerabilities in January 2026 OpenSSL security release
+- Google catalogued 12,000+ AI cyber incidents; 7 attack chain archetypes derived from this data
+- Hack The Box AI Range (December 2025): "significant gap between AI models' security knowledge and their practical multi-step adversarial capabilities"
+
+**The key governance message**: "Current frontier AI capabilities primarily enhance threat actor speed and scale, rather than enabling breakthrough capabilities." Governance should focus on phase-specific risk prioritization, not overall capability scores.
+
+**CTF benchmark performance**: Model solved 11/50 CTF challenges (22% overall), but this is a poor predictor of actual attack capability because it misses phase-specific dynamics.
+
+## Agent Notes
+
+**Why this matters:** Cyber is the exceptional case where the benchmark-reality gap runs in both directions: CTF success likely overstates exploitation capability (6.25% real vs. higher CTF) while understating reconnaissance/scale-enhancement capability (real-world evidence exceeds benchmark predictions). This distinguishes cyber from bio/self-replication where the gap predominantly runs in one direction (benchmarks overstate).
+
+**What surprised me:** The real-world cyber evidence already exists at scale (12,000+ incidents, zero-days, state-sponsored campaigns) — unlike bio and self-replication where "real-world demonstrations" remain theoretical or unpublished. Cyber has crossed from "benchmark implies future risk" to "documented real-world operational capability." This makes the B1 urgency argument STRONGEST for cyber despite the CTF benchmark gap.
+
+**What I expected but didn't find:** A clean benchmark-to-real-world correlation coefficient. The analysis is bottleneck-based (which phases translate, which don't) rather than an overall correlation. This is actually more useful for governance than an overall number would be.
+
+**KB connections:**
+- [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur]] — analogous threshold-crossing argument; cyber has more real-world evidence than bio
+- [[the gap between theoretical AI capability and observed deployment is massive across all occupations]] — cyber is the counterexample where real-world gap is smaller and in a different direction
+- [[economic forces push humans out of every cognitive loop where output quality is independently verifiable]] — reconnaissance/OSINT is independently verifiable (you either found the information or didn't); this is why AI displacement is strongest there
+
+**Extraction hints:**
+1. "AI cyber capability benchmarks (CTF challenges) systematically overstate exploitation capability while understating reconnaissance and scale-enhancement capability because CTF environments isolate single techniques from real attack phase dynamics" — new claim distinguishing benchmark direction by attack phase
+2. "Cyber is the exceptional dangerous capability domain where real-world evidence exceeds benchmark predictions because documented state-sponsored campaigns, zero-day discovery, and mass incident cataloguing confirm operational capability beyond isolated evaluation scores" — distinguishes cyber from bio/self-replication in the benchmark-reality gap framework
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur]] — compare/contrast: bio risk grounded in text benchmarks (gap large); cyber risk grounded in real-world incidents (gap smaller, different direction)
+WHY ARCHIVED: Provides the most systematic treatment of the cyber benchmark-reality gap; documents that real-world cyber capability evidence already exists at scale, making the B1 urgency argument strongest for this domain
+EXTRACTION HINT: Two potential claims: (1) cyber benchmark gap is direction-asymmetric (overstates exploitation, understates reconnaissance); (2) cyber is the exceptional domain with documented real-world dangerous capability. Check first whether existing KB cyber claims already cover state-sponsored campaigns or zero-days before extracting — the existing claim [[current language models escalate to nuclear war in simulated conflicts]] is in the institutional context section; this cyber capability claim is different.
diff --git a/inbox/queue/2026-03-25-epoch-ai-biorisk-benchmarks-real-world-gap.md b/inbox/queue/2026-03-25-epoch-ai-biorisk-benchmarks-real-world-gap.md
new file mode 100644
index 00000000..3753c109
--- /dev/null
+++ b/inbox/queue/2026-03-25-epoch-ai-biorisk-benchmarks-real-world-gap.md
@@ -0,0 +1,67 @@
+---
+type: source
+title: "Epoch AI: Do the Biorisk Evaluations of AI Labs Actually Measure the Risk of Developing Bioweapons?"
+author: "Epoch AI Research (@EpochAIResearch)"
+url: https://epoch.ai/gradient-updates/do-the-biorisk-evaluations-of-ai-labs-actually-measure-the-risk-of-developing-bioweapons
+date: 2025-01-01
+domain: ai-alignment
+secondary_domains: []
+format: research-article
+status: unprocessed
+priority: high
+tags: [biorisk, benchmark-reality-gap, virology-capabilities-test, WMDP, physical-world-gap, bioweapons, uplift-assessment]
+---
+
+## Content
+
+A systematic analysis of whether the biorisk evaluations deployed by AI labs actually measure real bioweapon development risk. The paper identifies a structural gap between what benchmarks measure and what operational bioweapon capability requires.
+
+**What benchmarks measure**:
+- Multiple-choice questions on virology knowledge (WMDP, LAB-Bench, ProtocolQA, Cloning Scenarios)
+- Textual protocol troubleshooting
+- General biological information retrieval
+
+**What real bioweapon development requires** (not captured by benchmarks):
+1. **Somatic tacit knowledge**: hands-on experimental skills ("learning by doing") that text cannot convey or evaluate
+2. **Physical infrastructure**: synthetic virus development requires "well-equipped molecular virology laboratories that are expensive to assemble and operate"
+3. **Iterative physical failure recovery**: real bioweapon development involves failures that require physical troubleshooting; text-based scenarios cannot simulate this
+4. **Stage coordination**: ideation through deployment involves acquisition, synthesis, weaponization steps with physical dependencies
+
+**Evaluation quality assessment**:
+- **Strong (most credible)**: SecureBio's Virology Capabilities Test (VCT) — explicitly targets tacit knowledge with questions unavailable online; expert virologists score ~22% average; frontier models now exceed this
+- **Weak**: WMDP, LAB-Bench — based on published information/textbook questions; "fail to capture practical complexity"
+- **Methodology opacity problem**: Most non-public evaluations lack transparency on thresholds and rubrics (Anthropic's 5x multiplier against 25% internet baseline; rubric unpublished)
+
+**Benchmark saturation and what it means**:
+- Frontier models now exceed expert baselines on ProtocolQA and Cloning Scenarios where humans previously outperformed AI
+- Authors conclude this is "highly ambiguous" in what it implies
+- VCT saturation seems more credible for concern due to benchmark's difficulty (tacit knowledge, can't google)
+- But: "we remain generally skeptical of assuming uplift from MCQs"
+
+**Core conclusion**: "existing evaluations do not provide _strong_ evidence that LLMs can enable amateurs to develop bioweapons." High benchmark performance is NOT sufficient evidence for actual bioweapon development capability. Physical bottlenecks make the benchmark-to-real-world translation extremely uncertain.
+
+**The governance wrinkle**: Anthropic activated ASL-3 for Claude 4 Opus precautionarily — unable to confirm OR rule out threshold crossing — because "clearly ruling out biorisk is not possible with current tools." This is the correct governance response to measurement uncertainty but confirms governance is operating under significant epistemic limitation.
+
+**SecureBio 2025-in-review acknowledgment**: "It remains an open question how model performance on benchmarks translates to changes in the real-world risk landscape; addressing this uncertainty is a key focus of 2026 efforts."
+
+## Agent Notes
+
+**Why this matters:** The KB claim [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur which makes bioterrorism the most proximate AI-enabled existential risk]] is grounded in VCT performance (o3 at 43.8% vs expert 22.1%). This source provides the strongest systematic analysis of what that comparison actually implies. VCT is the most credible benchmark (tacit knowledge, can't google answers) — so this specific claim has more credibility than MCQ-based claims. But the physical-world gap remains: scoring above a virologist on a text benchmark ≠ completing physical virus synthesis.
+
+**What surprised me:** Anthropic's precautionary ASL-3 activation for Claude 4 Opus when evaluation couldn't confirm threshold crossing. This is the governance system correctly adapting to measurement uncertainty — but it's remarkable that the most safety-conscious lab activates its highest protection level without being able to confirm it's necessary. This is exactly what governance under systematic measurement uncertainty looks like. It may be the right answer, but it's an expensive and high-friction approach that can't scale.
+
+**What I expected but didn't find:** Any published evidence that AI actually enabled a real uplift attempt that would fail without AI assistance. All uplift evidence is benchmark-derived; no controlled trial of "can an amateur with AI assistance synthesize [dangerous pathogen] when they couldn't without it" has been published. This gap is itself informative — the physical-world test doesn't exist because it's unethical to run.
+
+**KB connections:**
+- [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur]] — directly qualifies this claim; VCT credibility confirmed but physical-world translation gap acknowledged
+- [[the gap between theoretical AI capability and observed deployment is massive across all occupations]] — same pattern in bio: high benchmark performance, unclear real-world translation
+- [[voluntary safety pledges cannot survive competitive pressure]] — the precautionary ASL-3 activation is voluntary; if the evaluation basis for thresholds is unreliable, what prevents future rollback?
+
+**Extraction hints:**
+1. "Bio capability benchmarks measure text-accessible knowledge stages of bioweapon development but cannot evaluate somatic tacit knowledge, physical infrastructure access, or iterative laboratory failure recovery — making high benchmark scores insufficient evidence for operational bioweapon development capability" — new claim scoping the bio risk benchmark limitations
+2. "Governance under bio capability uncertainty requires precautionary threshold activation because physical-world translation cannot be benchmarked safely — as Anthropic demonstrated with Claude 4 Opus ASL-3 activation" — connects to governance design
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[AI lowers the expertise barrier for engineering biological weapons from PhD-level to amateur which makes bioterrorism the most proximate AI-enabled existential risk]] — provides scope qualification: this claim holds for text-accessible knowledge stages but not for physical synthesis capability
+WHY ARCHIVED: This is the most systematic treatment of the bio benchmark-reality gap; provides the conceptual framework for evaluating what "PhD-level bio capability" actually means for AI
+EXTRACTION HINT: Two claims to extract: (1) the scope qualification for bio capability claims (text ≠ physical), (2) the precautionary governance argument (when measurement fails, precautionary activation is the best available response). Confirm the VCT-specific claim about tacit knowledge before extracting — the existing KB claim on bioterrorism risk may need amendment rather than a new competing claim.
diff --git a/inbox/queue/2026-03-25-metr-algorithmic-vs-holistic-evaluation-benchmark-inflation.md b/inbox/queue/2026-03-25-metr-algorithmic-vs-holistic-evaluation-benchmark-inflation.md
new file mode 100644
index 00000000..b15335d0
--- /dev/null
+++ b/inbox/queue/2026-03-25-metr-algorithmic-vs-holistic-evaluation-benchmark-inflation.md
@@ -0,0 +1,57 @@
+---
+type: source
+title: "METR: Algorithmic vs. Holistic Evaluation — Reconciling the Developer Slowdown with Time Horizon Gains"
+author: "METR Research Team (@metr_evals)"
+url: https://metr.org/blog/2025-08-12-research-update-towards-reconciling-slowdown-with-time-horizons/
+date: 2025-08-12
+domain: ai-alignment
+secondary_domains: []
+format: blog-post
+status: unprocessed
+priority: high
+tags: [benchmark-inflation, holistic-evaluation, swe-bench, time-horizon, production-readiness, algorithmic-scoring]
+---
+
+## Content
+
+METR's research update that directly reconciles the apparent contradiction between time horizon capability gains (showing rapid AI improvement) and the developer productivity RCT (showing 19% slowdown). The key finding: the two results are compatible because they measure different things.
+
+**Core finding on benchmark inflation**: Frontier models achieve 70-75% success on SWE-Bench Verified under algorithmic scoring. But when METR applies holistic evaluation (would a maintainer merge this PR?), 0% of passing PRs are fully mergeable without substantial revision. METR explicitly states: "frontier model success rates on SWE-Bench Verified are around 70-75%, but it seems unlikely that AI agents are currently *actually* able to fully resolve 75% of real PRs in the wild."
+
+**The five failure modes captured by holistic but not algorithmic evaluation**:
+1. Missing/incorrect core functionality
+2. Inadequate testing coverage (100% of passing PRs had this gap)
+3. Missing/incorrect documentation (75%)
+4. Linting/formatting/typing issues (75%)
+5. Other code quality problems
+
+**The algorithmic vs. holistic distinction**: Algorithmic scoring measures "core implementation ability" — one part of a multifaceted evaluation problem. "Many goals are difficult to represent with algorithmic scoring functions." Optimizing for algorithmically verifiable rewards amplifies the gap between measured and actual capability.
+
+**Time horizon reconciliation**: Time horizon benchmarks (METR's primary governance-relevant metric) use the same algorithmic scoring approach. This means the 131-day doubling time likely reflects benchmark performance growth more than operational dangerous autonomy growth.
+
+**Quantitative specifics**:
+- 18 real repository tasks (averaging 1.3 hours each)
+- 38% algorithmic success rate (similar to ~50% HCAST benchmark)
+- 0% holistic success rate
+- 26 minutes average additional human work per "passing" PR (one-third of total task time)
+- Failure rates in non-core categories showed no significant difference between test-passing and test-failing runs
+
+## Agent Notes
+
+**Why this matters:** This is METR acknowledging that their own primary governance-relevant capability metric (time horizon, which uses the same algorithmic scoring) may overstate operational autonomous capability. This directly extends the session 13 disconfirmation finding and provides METR's own formal reconciliation of the benchmark-reality gap.
+
+**What surprised me:** METR's explicit statement that 70-75% SWE-bench success "seems unlikely" to translate to actual 75% PR resolution in the wild is stronger language than expected from the organization that produces the primary capability benchmark. This is the primary evaluator questioning its own metric's real-world relevance.
+
+**What I expected but didn't find:** A proposed alternative metric to replace algorithmic scoring for governance purposes. METR identifies the problem but doesn't propose a governance-ready replacement. The gap between "we know benchmarks overstate" and "here's what governance should use instead" remains open.
+
+**KB connections:**
+- [[scalable oversight degrades rapidly as capability gaps grow with debate achieving only 50 percent success at moderate gaps]] — extends this with a new mechanism: not just oversight degradation but benchmark architecture failure
+- [[AI capability and reliability are independent dimensions because Claude solved a 30-year open mathematical problem while simultaneously degrading at basic program execution during the same session]] — same family of capability ≠ reliability findings
+- [[the gap between theoretical AI capability and observed deployment is massive across all occupations because adoption lag not capability limits determines real-world impact]] — same theme, different domain
+
+**Extraction hints:** Primary claim: "AI autonomous software capability benchmarks overstate real-world task completion capability by approximately 2-3x because algorithmic scoring measures core implementation while omitting documentation, testing, and code quality requirements that production deployment demands." This is a well-evidenced claim with quantitative support (70-75% → 0% production-ready, 26 minutes additional work).
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[AI capability and reliability are independent dimensions]] — extends this from session behavior to systematic benchmark architecture failure
+WHY ARCHIVED: Provides METR's explicit acknowledgment of benchmark inflation for their own governance-relevant metric; closes the loop on the session 13 disconfirmation thread
+EXTRACTION HINT: Focus on (1) the specific quantitative gap (70-75% → 0%), (2) METR's explicit statement about what time horizon benchmarks miss, (3) the five failure mode taxonomy. Don't extract the developer productivity slowdown separately — that's the parent study; this is the theoretical reconciliation.
diff --git a/inbox/queue/2026-03-25-metr-developer-productivity-rct-full-paper.md b/inbox/queue/2026-03-25-metr-developer-productivity-rct-full-paper.md
new file mode 100644
index 00000000..d3b382e6
--- /dev/null
+++ b/inbox/queue/2026-03-25-metr-developer-productivity-rct-full-paper.md
@@ -0,0 +1,58 @@
+---
+type: source
+title: "Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity — Full RCT"
+author: "METR Research Team (Becker, Rush et al.)"
+url: https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/
+date: 2025-07-10
+domain: ai-alignment
+secondary_domains: []
+format: research-paper
+status: unprocessed
+priority: medium
+tags: [developer-productivity, RCT, benchmark-reality-gap, METR, AI-tools, slowdown, human-AI-collaboration]
+---
+
+## Content
+
+METR's randomized controlled trial measuring how early-2025 AI tools affect productivity of experienced open-source developers working on their own repositories.
+
+**Study design**:
+- 16 experienced developers from large open-source repos (averaging 22k+ stars, 1M+ lines of code)
+- 246 completed issues (randomly assigned to allow/disallow AI use)
+- Primary AI tools: Cursor Pro with Claude 3.5/3.7 Sonnet
+- 143 hours of screen recordings analyzed at ~10-second resolution (29% of total hours)
+
+**Core finding**: AI tools caused developers to take **19% longer** to complete issues.
+
+**The perception gap**: Before tasks, developers forecast AI would reduce time by 24%. After completing the study, developers estimated AI had reduced time by 20%. Actual result: 19% *slower*. Developers systematically misperceive AI assistance as a productivity gain even when experiencing a slowdown.
+
+**Why developers were slower** (from factor analysis): METR identifies contributing factors but notes the full behavioral explanation is in the complete paper. The screen recording analysis enables decomposition at ~10-second resolution.
+
+**Statistical significance**: 246 issues provided "just enough statistical power to reject the null hypothesis." Confidence intervals use clustered standard errors. The effect is statistically significant but note the study is at the edge of statistical power.
+
+**Generalizability limitation**: Authors explicitly state they "do not provide evidence that AI systems do not speed up individuals or groups in domains other than software development." This finding is specific to: experienced developers, their own long-standing repositories, early-2025 AI tools (Cursor Pro + Claude 3.5/3.7 Sonnet), and real issues they'd normally work on.
+
+**arXiv paper**: 2507.09089. GitHub data: METR/Measuring-Early-2025-AI-on-Exp-OSS-Devs.
+
+## Agent Notes
+
+**Why this matters:** The parent study for the 0% production-ready finding. The developer productivity RCT is the most rigorous empirical study of AI productivity impact on experienced practitioners. The 19% slowdown combined with the perception gap (developers thought they were faster) is the most striking finding: AI creates an illusion of productivity while decreasing actual productivity for experienced practitioners in their own domain.
+
+**What surprised me:** The screen recording methodology (143 hours at 10-second resolution) is unusually rigorous for productivity research. METR was able to decompose exactly what developers were doing differently with vs. without AI. The behavioral mechanism behind the slowdown is documented but not in the blog summary.
+
+**What I expected but didn't find:** Task-type breakdown (bug fix vs. feature vs. refactor). The blog doesn't segment by task type. If the slowdown is concentrated in certain task types, that would substantially qualify the finding.
+
+**KB connections:**
+- [[the gap between theoretical AI capability and observed deployment is massive across all occupations because adoption lag not capability limits determines real-world impact]] — the developer RCT suggests it's not just adoption lag; even when experienced developers actively use AI, productivity can decrease
+- [[deep technical expertise is a greater force multiplier when combined with AI agents because skilled practitioners delegate more effectively than novices]] — this finding challenges that claim for the specific case of developers in their own long-standing codebases
+- [[human-in-the-loop clinical AI degrades to worse-than-AI-alone because physicians both de-skill from reliance and introduce errors when overriding correct outputs]] — analogous pattern: expert + AI → worse than expert alone in their domain
+
+**Extraction hints:**
+1. The perception gap ("thought AI helped, actually slower") is potentially a new KB claim about AI productivity illusion
+2. The methodology (RCT + screen recording) is the strongest design deployed for AI productivity research; worth noting in any claim about AI productivity evidence quality
+3. Note: The "0% production-ready" finding is from the holistic evaluation research (metr.org/blog/2025-08-12...), not from this RCT directly. This RCT found developers submitted "similar quality PRs" — the quality failure is for autonomous AI agents, not human+AI collaboration. These are two separate findings that should not be conflated.
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[the gap between theoretical AI capability and observed deployment is massive across all occupations]] — provides the strongest empirical evidence that expert productivity with AI tools may decline, not just lag
+WHY ARCHIVED: Foundation for the benchmark-reality gap analysis; also contains the strongest RCT evidence on human-AI productivity in expert domains
+EXTRACTION HINT: CRITICAL DISTINCTION: This RCT measures human developers using AI tools → they were slower. The "0% production-ready" finding is from METR's separate holistic evaluation of autonomous AI agents. Do NOT conflate. The RCT is primarily about human+AI productivity, the holistic evaluation is about AI-only task completion. Both matter but for different KB claims.