[WTL] RSP Security mitigations: Anthropic
How Anthropic will secure Claude's weights according to the RSP
The latest Responsible Scaling Policy (Version 3.4; July 8, 2026) defines mitigations for “Capability Thresholds”. Since RSP 3.0, mitigations are divided between what Anthropic commits to doing unilaterally and what they believe the industry as a whole should perform. Since May of last year, Anthropic has committed itself to ASL-3. The security mitigations Anthropic commits to involve improving upon ASL-3 but they suggest SL4 is an ideal for some capabilities. I’ll start with a general description of ASL-3, discuss some of the improvements Anthropic describes in the latest RSP, and touch on some details from their Frontier Safety Roadmap.
Note: This is a “writing to learn” exercise. See the following article for details.
ASL-3
While Anthropic references RAND SL4 as a industry-wide goal it doesn’t anywhere map their ASL to RAND SL. It mentions ASL-3 is “suitable against sophisticated non-state attackers”1 but “[s]ophisticated insiders” are explicitly out of scope. Therefore it sits somewhere between SL2 and SL3. What follows here is the list of what ASL-3 provides on top of ASL-2 along with a mention of how that maps to the RAND SL benchmarks.
egress bandwidth controls: These are only called for at SL4 in RAND’s benchmarks.
two-party control: This could be either SL2 or SL3. I stated a similar statement in OpenAI’s Framework suggested SL2 because it wasn’t clear the the interface employees interacted with could prevent employees from stealing the weights. On second thought, it may be enough that developers can’t download all the weights on some local device. If someone has unilateral read access for a short period after some approval and can’t feasibly make a copy that should be sufficient.
endpoint software control: I think binary allowlisting gets to SL4.
change management for secure development: This sounds like SLSA L3 (which OpenAI also appears to achieve though I misunderstood L3 to require multi-party review for all changes).
perimeter and access controls: I don’t have a clear picture in my mind what the boundaries are between SL3 and SL4 when it comes to network or physical controls. The only thing I can see in the SL4 benchmark that isn’t covered here is the banning of unauthorized devices but I’m not sure exactly what that would mean. One would have to leave their personal phone away from the office?
monitoring: No time-buffered review but they do have comprehensive logging with automated alerts. They also mention honeypots which I don’t remember seeing in anything I’ve read from OpenAI or GDM. I think this is at SL3.
Here and in the OpenAI WTL I’ve taken the approach of grading individual bullet points in the described security mitigations against the RAND SL benchmarks. I feel it’s been somewhat helpful as a learning exercise but I’m unsure how useful it is. I’m not sure how closely this has brought me to understanding what the deficit is between where Anthropic and OpenAI are and SL4. I also don’t think I understand why the measures they’ve instituted are insufficient to guard against sophisticated insiders.
Like the OpenAI Framework, Anthropic refers to various frameworks. There are two here unfamiliar to me:
CSA STAR Level 2: This is the same CSA of the AI Safety Initiative. Level 1 and 2 are self-assessment and third-party audit respectively. It sounds like it checks similar things as ISO 27001 or SOC 2 but with some cloud specific checks.
ISO 42001: This is a new standard for AI systems.
Improvements
Stepping away from the ASL-3 standard and back to the RSP, Anthropic describes some improvements they would make to the ASL-3 in preparation for certain capabilities.
Centralized controls on third-party apps and software updates. I would have assumed this would already be covered by the binary allowlisting in ASL-3.
Accounting for internal tools that are less restricted than external products; stronger internal application of the Usage Policy. I assume the lack of internal restrictions is the main thing preventing them from full achieving SL3. I wonder how much applying external controls internally would slow down development?
The new RSP also comes with a new Frontier Safety Roadmap with rich information about what specific security measures the company will experiment with over the next few months.
provable inference: “[P]rovably ‘signing’ AI model outputs in a way that makes them attributable to a specific set of model weights”. I would love to look more into how this is done cryptographically. This sounds like it would be extremely useful for protecting against weight tampering so I wonder why I haven’t heard of it before.
isolated network prototype: They are trying to gauge how expensive it would be to institute extreme security controls. I’m confused about the term “green lines”. Claude suggests it may refer to the connections an office would have to a fully air-gapped facility containing the actual models weights2.
The Roadmap also includes a plan for strengthening the fundamentals. It’s pretty detailed and it’s technically not in the RSP so I’ll save it for a separate article.
Competition and decision making
Anthropic commits to reaching or exceeding the risk reduction of its competitors. They also commit to burning some of their lead when they are on the verge of a “highly capable” model. The general impression I get is that they won’t lower their standards due to competitors taking risks. This is contrast to GDM where every recommendation is qualified with the statement that they will not follow it if similarly capable models take higher risks. That said, I’m not sure if GDM’s approach is that unreasonable and I may be misreading what Anthropic is saying here.
Conclusion
I suspect Google still beats Anthropic in the volume of externally available information about their security measures but there is still to much here for me to digest in one post. One reflection I have is that I should probably do a WTL on the RAND benchmarks or at least the threat models in the report. I don’t have a good intuition on how a given security mitigation matches up against the threats described in the report.
Remaining questions
What’s in the Frontier Compliance Framework? My impression is that it’s a stripped down version of the RSP that is more suitable to share with regulators. I should probably compare these compliance docs with the RSPs for each company for which I can find both.
What are the powers of the Board of Directors and the Long-Term Benefit Trust? What is the nature of the Responsible Scaling Officer role? I should look more into the governance structure of each lab in addition to the content of the RSPs.
https://www.anthropic.com/news/activating-asl3-protections
https://claude.ai/share/7879b4c5-50df-4a47-ab96-0da2cc1d4903
