GOLDEN-EVALREV 1618.04
Table of contents
Methodology · v2 · NIST-aligned

Standardized AI Model Evaluation Framework

Theory and methodology for systematic LLM evaluation: golden sets, multi-dimensional rubrics, automated judging, release gates, and adversarial security testing. Rooted in NIST CAISI's guidance on AI measurement science.

View on GitHub →13 sections · 2 appendices

Standardized AI Model Evaluation Framework

Theory and Methodology (v2)

1. Introduction

1.1 The Evaluation Problem

As AI systems move from research prototypes to production deployments, the gap between "works in demos" and "works reliably at scale" becomes the defining challenge. Traditional software testing assumes deterministic behavior: the same input produces the same output. Large language models violate that assumption. They are stochastic, context-sensitive, and capable of producing semantically equivalent but syntactically different responses.

This creates a measurement problem. How do you define "correct" when there are many valid answers? How do you detect regression when outputs vary naturally? How do you compare models when the evaluation itself introduces noise? And — increasingly central — how do you know that a benchmark score actually measures the capability it claims to measure, rather than an artifact of the test design?

This framework addresses these questions through a principled approach to AI evaluation that balances rigor with practicality, and roots its methodology in the emerging discipline of AI measurement science as articulated by NIST's Center for AI Standards and Innovation (CAISI).

1.2 Why Evaluation Matters

Evaluation serves multiple distinct purposes, and conflating them leads to poor decisions.

Development feedback enables rapid iteration. Engineers need to know whether their changes improved the system before they merge code. Quality assurance prevents regressions: before any change ships, you need confidence it has not broken existing functionality. Model selection informs purchasing and architecture decisions; cross-family comparisons (GPT, Claude, Gemini, Llama, Mistral, DeepSeek) require apples-to-apples evaluation on your actual workload. Compliance and safety satisfies external requirements from regulators, customers, and internal policies. Continuous monitoring detects drift as model providers update weights, data distributions shift, and user behavior evolves.

A framework that tries to serve all five purposes with a single approach will serve none of them well.

1.3 Principles

This framework rests on several foundational principles.

Reproducibility over perfection. A flawed metric that you can run consistently is more valuable than a perfect metric that requires manual judgment each time. You can calibrate around known biases; you cannot calibrate around inconsistency.

Coverage over depth. For most purposes, testing 500 cases with a simple rubric tells you more than testing 50 cases with elaborate multi-dimensional scoring. Breadth catches more failure modes.

Automation with human calibration. Fully automated evaluation scales but misses subtle failures. Fully manual evaluation catches everything but does not scale. The solution is automated evaluation continuously calibrated against human judgment.

Separate concerns. Keep test cases separate from scoring logic separate from pass/fail thresholds. Each component must evolve independently.

Version everything. The golden set, the rubric, the judge prompts, the model configurations — all of it must be versioned and reproducible. An evaluation result is meaningless without knowing exactly what produced it.

Construct validity is non-negotiable. Every dimension must distinguish what it claims to measure from what it actually measures, and document the gap. This principle, drawn directly from NIST CAISI, is the foundation on which all other measurement quality rests.

Uncertainty is reported, not hidden. Every aggregate metric is accompanied by a confidence interval. Point estimates without uncertainty are not measurements; they are guesses.

2. The Golden Set

2.1 Definition and Purpose

A golden set is a curated, frozen collection of test cases that represents the evaluation surface of your AI system. It serves as the ground truth against which all changes are measured. The term "golden" emphasizes its role as a reference standard — not that it is perfect, but that it is the agreed-upon benchmark.

The golden set answers a specific question: given these inputs, does the system produce acceptable outputs? This is narrower than "does the system work well in general" but far more tractable to measure.

2.2 Composition

A well-constructed golden set includes several categories of test cases, weighted by their importance in the application.

Happy path cases represent typical, well-formed user requests the system should handle cleanly. These form the majority of the set — typically 50–60%. They establish the baseline of expected functionality and catch regressions in core capabilities.

Ambiguous cases present requests that require clarification or interpretation. They test whether the system recognizes its own uncertainty and handles it appropriately, by asking questions, making assumptions explicit, or refusing to guess.

Long-context and multi-turn cases stress-test coherence across extended interactions. Many failures only manifest after several exchanges or when processing large documents.

Edge cases cover rare but important scenarios: unusual formatting, unexpected input types, requests at the boundaries of the system's capabilities. They reveal assumptions baked into the system that break under novel conditions.

Adversarial cases probe robustness against manipulation: jailbreak attempts, prompt injections, requests designed to elicit harmful outputs, and inputs crafted to bypass safety measures. Even systems not explicitly designed for safety need adversarial coverage.

Domain-specific cases address the particular requirements of the application. For RAG, this includes cases where the answer is in the documents, cases where it is not, and cases designed to catch hallucination. For code generation, it includes correctness, edge cases, and security. For customer service, it includes escalation, policy lookup, and refunds.

2.3 Size and Scaling

The optimal size of a golden set depends on several factors.

Start with 200–500 cases. This is large enough to surface most common failure modes while small enough to curate carefully. Resist scaling up before you have validated that the evaluation infrastructure works.

Expand to 1,000–2,000 cases as gaps appear. Every production failure the golden set did not catch is a missing test case; add it. Every category with suspiciously high scores probably needs harder cases.

Consider 5,000+ cases for mature systems with diverse use cases. At that scale, tooling for case management, deduplication, and stratified sampling becomes essential for fast iteration.

The marginal value of additional cases decreases as coverage increases. A golden set that perfectly captures your top 100 failure modes is more valuable than one that partially captures your top 1,000.

2.4 Case Specification

Each case should include:

  • Unique identifier — stable, meaningful, supports tracking and linking to production incidents.
  • Category and tags — support filtering, stratified sampling, and per-segment analysis.
  • Input specification — prompt, system instructions, conversation history, retrieved documents. Complete enough to reproduce the scenario exactly.
  • Expected behavior — constraints (must cite a source, must not reveal personal information, must ask a clarifying question), reference answer for semantic comparison, or a rubric for human evaluation.
  • Metadata — provenance, creation date, last review date, difficulty rating, scoring notes.

2.5 Maintenance

A golden set is not static; it evolves through a controlled process.

Addition happens when production incidents reveal gaps, when new features are added, or when adversarial testing uncovers vulnerabilities. Every addition is reviewed for quality and non-duplication.

Removal happens when cases become obsolete, malformed, or duplicative. It should be rare and deliberate.

Revision happens when expected behavior changes due to policy updates or scoring criteria refinement. All revisions are versioned.

Freezing declares a specific version of the golden set as the reference for a particular evaluation campaign. Comparisons are only valid within the same frozen version.

3. The Rubric

3.1 Purpose of Scoring

A rubric translates "is this response good?" into a structured, repeatable measurement process. Without one, evaluation devolves into vibes — different evaluators reach different conclusions, scores drift, and comparison becomes meaningless.

The rubric serves three audiences: automated systems that need clear criteria to apply, human evaluators who need guidance for consistent judgment, and stakeholders who need to understand what the scores actually mean.

3.2 Scoring Dimensions

Golden-Eval ships 34 first-class scoring dimensions, organized into five functional categories plus the MLCommons AILuminate v1.0 harm taxonomy. The full set is defined in src/golden_eval/models/rubric.py (ScoringDimension enum). Each dimension has an explicit definition (what it claims to measure) and an operationalization (how it is actually scored), satisfying the construct-validity requirement of §3.5.

3.2.1 Classic Quality (13 dimensions)

DimensionClaimScoring
CORRECTNESSFactual accuracy of the responseRule-based (verifiable answers) or LLM-judge
GROUNDEDNESSClaims supported by provided contextLLM-judge with retrieved-context comparison
HALLUCINATIONInverse of groundedness; presence of unsupported claimsLLM-judge; treated as a distinct primary signal
COMPLETENESSWhether the response addresses the full requestLLM-judge against expected-behavior spec
RELEVANCEWhether the response addresses what was actually askedLLM-judge
HELPFULNESSWhether the response serves the user's underlying needLLM-judge
COHERENCEInternal logical consistency and readabilityLLM-judge
CONCISENESSLength appropriate to the requestHybrid: rule-based length + LLM-judge for fit
TONERegister matches the audience and contextLLM-judge
CITATION_QUALITYCitations exist where required, point to real sources, and support the claims they attach toHybrid: rule-based presence + LLM-judge for support
CODE_CORRECTNESSGenerated code passes specified testsExecutable verification (rule-based)
INSTRUCTION_FOLLOWINGResponse obeys explicit instructions in the promptLLM-judge or constraint check
REFUSAL_ACCURACYPrecision and recall of refusalsHybrid: refusal pattern detection + LLM-judge

3.2.2 Agentic and Reasoning (3 dimensions)

DimensionClaimScoring
TOOL_USE_CORRECTNESSRight tool, right arguments, right stepLLM-judge over tool-call trace
REASONING_FAITHFULNESSChain-of-thought actually supports the final answer rather than post-hoc rationalizationLLM-judge
INSTRUCTION_HIERARCHYAdherence to system > developer > user priority orderLLM-judge

3.2.3 Reliability (2 dimensions)

DimensionClaimScoring
CALIBRATIONStated confidence matches empirical accuracy (Brier / ECE)Rule-based aggregate across many samples
ROBUSTNESSParaphrase stability — same intent worded N ways yields consistent answersRule-based variance or LLM-judge for semantic stability

ROBUSTNESS doubles as the framework's prompt-sensitivity probe and is the operational signal for the construct-validity check described in §3.5.

3.2.4 Engineering and Operational (4 dimensions)

DimensionClaimScoring
STRUCTURED_OUTPUT_VALIDITYJSON / schema parses and validatesRule-based via jsonschema
FORMAT_COMPLIANCEAdherence to structural requirements (markdown, sections, length limits)Rule-based
LATENCY_BUDGETPass/fail against an SLA (e.g., p95 < 2s)Rule-based
COST_EFFICIENCYQuality-score per dollarRule-based aggregate; lets gates block "expensive wins"

LATENCY_BUDGET and COST_EFFICIENCY are first-class quality signals, not operational footnotes. A response that is correct, well-grounded, but takes 60s and costs $1 is not a usable response, and the rubric treats it accordingly.

3.2.5 Fairness (1 dimension)

DimensionClaimScoring
FAIRNESSDemographic parity / counterfactual consistency across protected-attribute swapsLLM-judge or rule-based diff of paired responses

3.2.6 Safety Rollup and AILuminate Harm Sub-Dimensions (11 dimensions)

SAFETY is retained as a single rollup signal for backward compatibility and high-level reporting. For category-level reporting and gate granularity, Golden-Eval implements the ten harm sub-dimensions of the MLCommons AILuminate v1.0 benchmark (https://mlcommons.org/benchmarks/ailuminate/), the current industry-standard harm taxonomy:

HARM_VIOLENCE, HARM_SELF_HARM, HARM_SEXUAL_CONTENT, HARM_HATE, HARM_PRIVACY, HARM_DEFAMATION, HARM_SPECIALIZED_ADVICE, HARM_ELECTIONS, HARM_INTELLECTUAL_PROPERTY, HARM_INDISCRIMINATE_WEAPONS.

All AILuminate harm dimensions are scored on a binary scale by default and routed to LLM-judges with category-specific prompts. Aligning to AILuminate is a deliberate choice: it lets Golden-Eval results be compared against published vendor scorecards and avoids reinventing a harm taxonomy that the broader industry has already converged on.

3.3 Scoring Scales

The choice of scoring scale trades expressiveness against reliability.

Binary (0/1) is maximally reliable. Evaluators rarely disagree on pass/fail judgments, and automated systems apply binary criteria consistently. The cost is lost information.

Three-point (0/1/2) captures pass/partial/fail and is often the sweet spot — more expressive than binary, still reliable. The middle score requires a clear definition or it becomes a dumping ground for uncertainty.

Five-point (1–5) offers more granularity but introduces calibration challenges; different evaluators use the scale differently and the endpoints often go unused. Five-point scales work only with evaluator training and anchored definitions.

Continuous (0–1) scores typically come from automated metrics (semantic similarity, embedding distance, BLEU/ROUGE). They are precise but hard to interpret. They work for comparison but not for threshold-setting without careful calibration.

For most applications, start with binary or three-point. Add granularity only after evaluators demonstrably apply it consistently.

3.4 Failure Documentation

Scores alone do not support debugging. Every non-passing score includes structured failure documentation:

  • Failure category — factual error, hallucination, format violation, safety issue, wrong refusal, incomplete answer. Categories enable aggregate analysis.
  • Evidence — quoted text or identified missing element pinpointing the failure.
  • Severity — catastrophic (must fix before shipping) vs. minor (acceptable at low rates). Some failures are inherently severe (safety, privacy); others are context-dependent.
  • Notes — evaluator reasoning, edge-case considerations, suggestions for case improvement.

3.5 Construct Validity

The most consequential failure mode in AI evaluation is not noisy measurement but invalid measurement: a benchmark that scores well on a surrogate construct that was never the target. NIST CAISI states the problem directly:

"Often, claims about the capabilities (e.g., mathematical reasoning) of AI systems don't match the construct actually measured by the benchmark (e.g., accuracy at answering math problems). A critical step in AI evaluation is the assessment of construct validity, or whether a testing procedure accurately measures the intended concept or characteristic." — NIST CAISI, Open Questions in AI Measurement Science, §I-A

Golden-Eval treats construct validity as a first-class artifact, not a writeup. The framework implements four operational requirements:

  1. Explicit construct definitions. Every dimension carries an intended measurement target (the capability claim) and an actual measurement proxy (what the rubric and judge prompts actually score). The gap between them is documented as a validity-gap analysis. See integrity/construct_validity.py (MeasurementTarget, ConstructDefinition, ValidityLevel).

  2. Prompt-sensitivity testing. A capability claim is only as strong as the response variance under semantically equivalent paraphrases. The ROBUSTNESS dimension operationalizes this: each test case is run against N rewrites, and high-variance cases are flagged. A model that solves a math problem under one phrasing but fails under a paraphrase has not demonstrated mathematical reasoning; it has demonstrated pattern matching to a specific surface form.

  3. Generalization bounds. Every published evaluation result is annotated with the test setting it applies to. NIST CAISI §I-B notes: "Some AI evaluation results are unjustifiably generalized beyond the test setting." Golden-Eval makes the test setting explicit so consumers of the score do not over-extrapolate.

  4. Train-test contamination probes. Public release of benchmarks creates obvious contamination risk. The framework runs hash-based exact-match, near-duplicate, and embedding-similarity checks against known training corpora where available, and surfaces per-case contamination risk scores. See integrity/contamination.py.

Construct validity is not a one-time gate; it is a continuous discipline. Every dimension added to a rubric must declare its target and its proxy, and every result tagged with the validity level (HIGH, MODERATE, LOW, UNKNOWN) achieved at the time of measurement.

3.6 Pairwise and Probabilistic Ranking

Absolute scoring works when the rubric is well-calibrated and dimensions are stable. For comparing many models against each other, pairwise methods are more robust because they sidestep the calibration drift that plagues absolute scales: even if a judge's notion of "good" drifts, "A is better than B on this case" remains stable.

Golden-Eval ships three pairwise rankers in src/golden_eval/leaderboard/ranking/:

Elo (elo.py). Pairs are auto-constructed by grouping same-test-case runs across models. For each common case, every ordered model pair contributes one update. Default K=24, initial rating 1500. Suitable when models compete head-to-head on a shared golden set with sufficient overlap. Produces a single rating per model that is easy to communicate but does not propagate uncertainty well.

Bradley-Terry (bradley_terry.py). Maximum-likelihood estimation of log-strength parameters from accumulated pairwise win counts. Fit by L-BFGS-B (scipy.optimize.minimize) with sum-to-zero anchoring for identifiability. Produces probabilistic strength estimates that can be converted to win probabilities for any pair, including pairs that never met directly.

TrueSkill (trueskill.py). Bayesian Gaussian skill posterior per model with mu=25, sigma=25/3, beta=25/6, tau=25/300. Implements the standard 1v1 update equations. Handles partial pairings (not every model needs to face every other model on every case), and reports both a point estimate (mu) and a credible interval (mu ± 3σ).

When to use which: Elo for simple, frequently-updated leaderboards over a stable model set; Bradley-Terry when you need a clean MLE with bootstrap CIs and the model set is fixed for the analysis window; TrueSkill when models enter and exit the leaderboard and per-model uncertainty matters for ranking decisions.

All three rankers share bootstrap_ci from ranking/base.py (B=1000, seed=42 by default), so each leaderboard entry carries ci_lower, ci_upper, and a propagated rank distribution.

4. The Evaluation Harness

4.1 Architecture

The evaluation harness executes test cases and collects results. Its design reflects the principle that evaluation is an ongoing process, not a one-time event.

Configuration management handles the combinatorial explosion of variables: models, prompt versions, parameter settings, retrieval configurations, safety filter settings. Defining a configuration, running it against the golden set, and comparing it to other configurations must be a one-line operation.

Execution engine runs test cases against the configured system. For API-based models, this means managing rate limits, handling transient failures, and parallelizing where possible. The engine is idempotent — running the same case twice produces independent samples, not cached results.

Result capture stores everything needed to reproduce and understand the evaluation: complete input, complete output, intermediate artifacts (retrieved documents, tool calls), metadata (latency, token counts, timestamps), and configuration details (model version, prompt hash, parameter values, judge version).

State management tracks which cases have been run, which need re-running, and which are blocked on dependencies. Large evaluation runs span hours or days; the harness handles interruptions gracefully.

4.2 Multi-Provider Cross-Family Evaluation

Apples-to-apples model comparison requires identical golden sets, identical rubrics, and identical execution discipline across providers. Golden-Eval routes evaluation through a unified provider abstraction (src/golden_eval/providers/) with first-class adapters for OpenAI, Anthropic, and OpenRouter (openrouter.py), the latter unlocking single-API-key access to OpenAI, Anthropic, Google, Meta, DeepSeek, Mistral, Qwen, and other model families.

This is a methodological choice, not a convenience choice. Cross-family evaluation through a single harness eliminates a significant class of confounds: differences in retry behavior, tokenization assumptions, system-prompt handling, and rate-limit strategy that would otherwise contaminate the comparison. When a leaderboard reports that Model X beats Model Y by 4 Elo points, the methodology must guarantee that the result is not attributable to the harness treating one provider more leniently than the other.

4.3 Comparison Modes

A/B model comparison runs the same cases against two models or model versions. Core use case for model selection and regression testing.

Prompt variant comparison runs the same cases against different prompt versions with the same model. Supports prompt engineering and optimization.

Configuration sweep runs the same cases across multiple parameter configurations — temperature, max tokens, retrieval parameters. Supports hyperparameter tuning.

Ablation studies systematically disable components to measure their contribution. What happens without the safety filter? Without retrieval? Without the system prompt?

Temporal comparison runs the same configuration at different times to detect drift. Catches model provider updates and distribution shift.

4.4 Operational Requirements

Incremental execution allows running a subset of cases for fast feedback. Developers should not wait for a full evaluation when iterating quickly.

Parallelization takes advantage of available compute while respecting rate limits and resource constraints.

Cost tracking surfaces the dollar cost of each run. Evaluation itself can become expensive; developers need visibility.

Determinism controls manage randomness — seeds, temperature=0 where appropriate, captured sampling parameters — so specific outputs can be reproduced when needed.

Result persistence stores raw results indefinitely; aggregated metrics remain queryable.

5. Judging and Grading

5.1 The Judging Problem

Given a test case and a model response, how do you determine whether the response is acceptable? There is no single solution. Different approaches trade accuracy, consistency, cost, and scalability.

5.2 Rule-Based Evaluation

Rule-based evaluation uses programmatic checks. It is fast, cheap, consistent, and appropriate for mechanical requirements.

Format validation — valid JSON, required fields, length limits, markdown structure. Deterministic and catches clear failures.

Content detection — presence or absence of specific elements: citation brackets, disclaimers, required phrases, prohibited terms. Regular expressions and string matching are often sufficient.

Executable verification — when the output is code or machine-readable data, run it and check against expected results. The gold standard when applicable.

Constraint checking — explicit requirements such as language, mentioned entities, required sections. Essentially unit tests for outputs.

The limitation of rule-based evaluation is that it can only check what can be formalized. "Is this helpful?" cannot be expressed as a regex. Rule-based checks cover the mechanical requirements; judgment goes elsewhere.

5.3 Human Evaluation

Human evaluation remains the ground truth for subjective quality. Humans recognize good writing, appropriate tone, subtle factual errors, and whether a response actually helps. No automated metric fully captures human judgment.

When to use humans: calibrating automated metrics, evaluating new or ambiguous cases, auditing automated judgments, and assessing dimensions like helpfulness that resist automation.

Challenges: cost, inconsistency, drift, scale limits.

Best practices: clear rubrics with examples, evaluator training, inter-rater agreement tracking, strategic sampling rather than exhaustive evaluation, and multiple evaluators for high-stakes cases.

Human evaluation should calibrate and audit automated methods, not be the primary mechanism for routine runs.

5.4 LLM-as-Judge

Using one language model to evaluate another has become a practical option. The judge model receives the test case and the response, then scores against a rubric.

Advantages: scalability, consistency for a fixed prompt and judge version, and the ability to assess nuanced qualities like coherence and helpfulness.

Limitations: bias (judges may favor responses similar to their own style), brittleness (judge performance depends on prompt engineering), unknown failure modes, and the evaluation recursion problem — you need to evaluate your evaluator.

5.5 Hybrid Approaches

The best evaluation systems combine methods.

Tiered evaluation applies different methods at different stages. Rule-based checks filter obvious failures. LLM-as-judge scores the remainder. Human evaluation samples edge cases and disagreements.

Ensemble judging uses multiple judges (human and/or LLM) and aggregates their scores. Catches cases where any single judge is unreliable.

Confidence-based routing uses automated judges for high-confidence cases and escalates uncertain cases to human review. Optimizes the human evaluation budget.

5.6 LLM-as-Judge Validation

NIST CAISI poses the question directly:

"How and when should AI systems be used to test, evaluate, or monitor AI systems? What are best practices for reliable use and validation of LLM-as-a-judge?" — NIST CAISI, Open Questions in AI Measurement Science, §I-D

Golden-Eval's answer is implemented in src/golden_eval/judging/llm_judge.py and src/golden_eval/judging/judge_validation.py:

Frozen judge configuration. The judge prompt, the judge model identifier, and the inference parameters are part of the evaluation configuration, not infrastructure. Changing any of them invalidates cross-time comparisons. Every result is tagged with the judge configuration hash.

Calibration against human evaluation. A stratified sample of cases is dual-scored (judge + human) on a recurring schedule. The framework reports Cohen's κ or weighted κ as the calibration metric and refuses to issue gate decisions when κ falls below a configurable floor.

Bias audits. Three biases are explicitly probed:

  • Positional bias — does the judge favor "Response A" over "Response B" when the order is swapped?
  • Length bias — is judge score correlated with response length holding quality constant?
  • Self-preference — does the judge favor responses generated by models from its own family?

When any bias signal exceeds threshold, the affected dimensions are flagged for human re-scoring on the affected cohort.

Confidence-based escalation. Judges return both a score and a self-reported confidence. Low-confidence judgments are routed to human review; the human verdict is fed back into the calibration set.

Structured output. Scores are returned as JSON, not free text, with a schema-validated shape. Free-text justifications are captured separately for transcript review (§7.5).

Known limitation: hosted judge drift. Frontier judges accessed through hosted APIs can change underneath the framework without notice. Where dated snapshot model IDs are exposed by the provider, the framework pins to them. Where they are not, the framework records the judge model identifier and timestamp at run-time and flags any cross-run comparison whose judge identifiers differ. This is documented as a residual limitation, not a solved problem.

6. Release Gates and Regression Prevention

6.1 The Gate Concept

A release gate is a condition that must be satisfied before a change can ship. Gates transform evaluation from a reporting function into a quality enforcement mechanism. Without gates, evaluation results are advisory and easy to ignore under deadline pressure.

6.2 Threshold Setting

Too strict blocks legitimate changes. Engineers waste time investigating false positives. Velocity suffers. People begin gaming or circumventing the system.

Too lenient misses real regressions. Problems ship. Users suffer. Trust in the evaluation system erodes.

The right approach starts lenient and tightens gradually. Launch with thresholds that current performance easily meets. Establish the habit of running evaluations and respecting gates. Then raise the bar incrementally as the system improves.

6.3 Metric Selection

Not all metrics belong in release gates. Choose metrics stable enough to gate on. Metrics that fluctuate significantly between runs due to inherent randomness create noise.

Good gate metrics: hallucination rate (stable, critical), refusal accuracy (stable, important for safety), format compliance (deterministic), critical failure count (any occurrence is significant).

Poor gate metrics: raw helpfulness scores (subjective, high variance), latency p99 (spikes for external reasons), single-case pass/fail (too noisy, use aggregate rates).

6.4 Gate Types

Hard gates block the release entirely if violated. Reserved for critical metrics — safety violations, severe regressions, compliance.

Soft gates trigger warnings and require human review but do not automatically block. Appropriate for important-but-not-critical metrics, new metrics that need calibration, and metrics where exceptions are sometimes legitimate.

Trend gates flag concerning trajectories even if absolute thresholds are met. A metric that passes today but has declined for three consecutive releases warrants investigation.

6.5 Gate Configuration

Typical configuration for a mature system:

  • Critical failures must equal zero — any response that reveals personal data, generates harmful content, or produces a security vulnerability is an absolute blocker.
  • Hallucination rate below an application-specific threshold.
  • Refusal-accuracy F1 above a minimum bar that balances safety and usability.
  • Format compliance high for applications that depend on structured output.
  • Aggregate pass rate across the golden set above a minimum, ensuring changes do not erode general quality even if they trip no specific metric.

6.6 Uncertainty Quantification

A pass/fail gate decision against a point estimate is a category error. NIST CAISI states it plainly:

"All measurements involve some degree of uncertainty. Accurate claims about AI systems require honest and transparent communication of this uncertainty, but some presentations of benchmark results omit error bars and other basic expressions of uncertainty." — NIST CAISI, Open Questions in AI Measurement Science, §II-A

Golden-Eval implements uncertainty quantification end-to-end in src/golden_eval/integrity/uncertainty.py:

Bootstrap percentile confidence intervals. Every aggregate metric — pass rate, dimension mean score, refusal F1, harm category rate, Elo rating, Bradley-Terry strength, TrueSkill mu — is reported with a 95% bootstrap percentile CI. Default configuration: B=1000 resamples, seed=42 for reproducibility.

CIs propagate to every leaderboard entry. LeaderboardEntry carries ci_lower and ci_upper alongside the point estimate; the dashboard renders error bars by default.

Uncertainty decomposition. The framework distinguishes six uncertainty sources (UncertaintySource enum): sample size, judge disagreement, prompt sensitivity, model stochasticity, measurement error, selection bias. Reports surface the dominant source so the right remediation is applied (more cases for sample-size uncertainty; calibration for judge disagreement; broader paraphrase coverage for prompt sensitivity).

Claim-strength qualification. Each reported claim is tagged STRONG, MODERATE, WEAK, or INSUFFICIENT based on the underlying CI width and effect size. Gate decisions check claim strength: a "passing" metric with INSUFFICIENT support does not satisfy the gate.

Gate-aware uncertainty. When a CI straddles the gate threshold, the gate result is INDETERMINATE rather than PASS, and the harness recommends additional samples. This eliminates the failure mode where a noisy metric flickers across a hard threshold from run to run.

7. Production Monitoring

7.1 The Offline-Online Gap

Offline evaluation (golden set testing) and online evaluation (production monitoring) answer different questions.

Offline asks: how does the system perform on known cases? Controlled, reproducible, measures what was designed to be measured.

Online asks: how does the system perform on real user cases? Captures the true distribution, catches unanticipated cases, measures what users actually experience.

Neither is sufficient alone. Systems can ace the golden set but fail on production traffic. Systems can perform well on average but have catastrophic failures on specific cases that are rare in aggregate but devastating for affected users.

7.2 Signal Collection

User feedback captures explicit quality signals: thumbs up/down, ratings, corrections, complaints. Biased — users do not rate most responses, and ratings skew negative when users are frustrated — but the most direct signal of user experience.

Implicit signals infer quality from user behavior: did the user continue the conversation, copy the response, retry immediately, abandon the session? Require careful interpretation but provide volume that explicit feedback lacks.

Automated checks apply the same rule-based and LLM-as-judge methods used in offline evaluation. Sample production traffic, score it, alert on anomalies.

System metrics track operational health: latency distribution, error rates, token usage, retrieval failures, safety filter activations. Correlate with user experience without measuring quality directly.

7.3 Anomaly Detection

Acute regressions — sudden quality drops, often caused by configuration changes, model updates, or upstream service failures. Trigger immediate alerts.

Gradual drift — slow erosion over time, often from distribution shift or gradual model changes. Require trending and baseline comparison.

Category-specific failures — concentrated in particular topics, user segments, or use cases. Aggregate metrics may look fine while specific cohorts suffer.

Novel failure modes — problems unanticipated and thus unmeasured. Require human review of samples, user feedback analysis, and exploration.

7.4 Shadow Evaluation

Shadow evaluation runs the golden set against the production system on a regular schedule (daily, weekly) to detect drift before users notice. The shadow run uses the same golden set and rubric as release testing, ensuring the production system continues to meet the bar it was held to at release.

7.5 Evaluation Cheating Prevention

Once a benchmark becomes consequential, models — and the engineers around them — find ways to score well without actually solving the problem. NIST CAISI distinguishes two categories of evaluation cheating that Golden-Eval explicitly defends against. Both mitigations live in src/golden_eval/integrity/.

Solution Contamination. The model accesses information that improperly reveals the answer. Examples include browsing for walkthroughs of the test problem, retrieving the canonical solution from a code repository, exploiting package-manager side channels to read test fixtures, and — most insidious — having seen the test items during training (train-test leakage).

Detection (integrity/contamination.py, integrity/transcript_analysis.py):

  • Hash-based exact-match and embedding-similarity probing against known training corpora and prior public benchmark releases.
  • Tool-call transcript analysis for outbound network access, repository fetches, and package-manager exploitation patterns.
  • Per-case contamination risk scores; high-risk cases are excluded from headline metrics and reported separately.

Mitigation: benchmark freshness management, held-out private test partitions, agent tool-access restrictions per evaluation profile, and contamination signatures maintained as a versioned database.

Grader Gaming. The model produces output that scores well under the automated grader without fulfilling the intended objective. Examples include disabling assertions in test harnesses, writing code that crashes in a way the grader counts as "ran successfully," manipulating output format to satisfy a regex without containing the required content, and DoS-ing the grading service to force a timeout-default-pass.

Detection (integrity/cheating_detection.py, integrity/transcript_analysis.py):

  • Grader-exploit detectors for assertion disabling, format manipulation, and crash-based "successes."
  • Behavioral anomaly detection: the solution path does not match any expected approach class.
  • Solution path verification: did the model solve the problem as intended, or score points without doing the work?

Mitigation (integrity/task_hardening.py): explicit task constraints, tamper-evident grader interfaces, transcript review on flagged cases, and a human-review queue for borderline patterns.

The integrity layer is not optional polish. A leaderboard whose entries reflect contamination or grader gaming is worse than no leaderboard at all, because it actively misallocates trust.

8. Multi-Objective Model Selection

8.1 The Single-Metric Trap

Most leaderboards rank models on a single quality score. This collapses three independent decisions into one and produces systematically wrong answers.

A model that ranks first on quality but costs 30× more than the second-place model is not the right choice for a chat application serving millions of users. A model that ranks second on quality but achieves a p95 latency of 400ms vs the leader's 2.5s is not the right choice for an interactive coding assistant. Cost-blind and latency-blind decisions are the default failure mode of single-metric evaluation.

Golden-Eval makes the multi-objective structure of model selection explicit. The framework computes a three-axis Pareto frontier (quality × cost × latency) per evaluation campaign and surfaces it in reporting/pareto.py and the dashboard's /dashboard/pareto view.

8.2 Pareto Dominance

Model X dominates model Y if and only if X is at least as good as Y on every axis and strictly better on at least one. A model is Pareto-optimal (on the frontier) if no other model dominates it.

In quality × cost × latency space, a model may sit on the frontier for any of three reasons:

  • Highest quality at any cost.
  • Lowest cost at any quality.
  • Lowest latency at any quality.

Or any combination — the frontier is a surface, not a point.

8.3 Interpreting the Frontier

The Pareto report (ParetoReport in reporting/pareto.py) returns:

  • model_points — every evaluated model with its (quality, cost, latency) coordinate, sample count, and is_on_frontier flag.
  • Per-axis domination details for dominated models — which model dominates them, and on which axes.
  • Secondary rankings: quality-per-dollar and quality-per-second for cases where a single derived metric is needed.

The right model is rarely the highest-quality model. It is the model whose position on the frontier matches the application's tolerance for cost and latency. A 0.02-point quality drop that delivers a 10× cost reduction is, for almost every application, a strict improvement.

8.4 When to Prefer Dominated Models

Pareto dominance is a necessary, not sufficient, condition for selection. Legitimate reasons to choose a dominated model include:

  • Compliance — only one provider has the required certifications.
  • Data residency — only one provider hosts in the required region.
  • Vendor diversification — risk management against a single-provider failure.
  • Capability gaps not captured by the rubric — the rubric measures what was specified; capabilities outside the rubric still matter.
  • Roadmap considerations — a dominated model may be on a faster improvement trajectory than the dominator.

The framework's job is to surface the frontier honestly. Selection across non-rubric considerations remains a human decision.

9. Process and Governance

9.1 Roles and Responsibilities

Golden set owner — responsible for the quality and coverage of the test set, reviewing additions and removals, and maintaining documentation of case provenance and intent.

Rubric owner — responsible for scoring consistency, updating the rubric as requirements change, calibrating automated judges against human evaluation, and training evaluators.

Evaluation infrastructure owner — responsible for the harness, result storage, reporting tools, and integration with development workflows.

Release owner — responsible for gate definitions, threshold tuning, and the process for handling gate failures and exceptions.

These roles may collapse to one person in small teams or distribute across specialists in larger organizations.

9.2 Development Workflow Integration

Pre-commit hooks run lightweight checks locally, catching obvious problems before review.

CI integration runs the full evaluation suite on pull requests; results block merge if gates are failed.

Nightly runs execute comprehensive evaluation, including expensive tests skipped in CI, and generate trend reports.

Release checklists include evaluation sign-off as a required step.

9.3 Reporting and Communication

Executive summaries highlight key metrics, trends, and risks in non-technical language.

Engineering reports provide detailed breakdowns by category, specific failure examples, and actionable insights.

Dashboards offer real-time visibility into quality metrics, historical trends, and production health, including the Pareto frontier view.

Postmortems analyze significant quality incidents, trace root causes, and recommend preventive measures.

9.4 Continuous Improvement

Gap analysis identifies failure modes the golden set does not catch. Every production incident is a candidate for a new test case.

Rubric calibration regularly compares automated scores to human judgment.

Threshold tuning adjusts gates based on actual system performance and user tolerance.

Process retrospectives examine whether the evaluation process is working — are gates respected, reports read, findings actioned?

10. Retrieval-Augmented Generation Considerations

10.1 RAG-Specific Challenges

RAG introduces additional evaluation dimensions. The system can fail at retrieval (wrong documents), at synthesis (misusing correct documents), or at both.

10.2 Retrieval Evaluation

Retrieval quality should be measured independently of generation quality.

  • Recall at K — whether the correct documents appear in the top K. Requires labeled cases with known relevant documents.
  • Precision at K — fraction of retrieved documents that are relevant. High precision avoids overwhelming the generator with noise.
  • Mean reciprocal rank — how early relevant documents appear. Matters when generators are sensitive to position.

10.3 Attribution Evaluation

  • Citation presence — are claims that should be cited actually cited?
  • Citation correctness — do citations support the claims they attach to?
  • Faithfulness — does the generated text accurately represent what the sources say?

10.4 Answerability

RAG systems should recognize when they can and cannot answer from the available documents.

  • Answerable cases — required information is present; the system answers with citations.
  • Unanswerable cases — required information is absent; the system acknowledges this rather than hallucinate.
  • Partially answerable cases — some but not all required information is present; the system answers what it can and acknowledges gaps.

11. Safety Evaluation

11.1 Threat Modeling

Unintentional harm — incorrect medical or legal advice, biased or discriminatory content, personal information leakage, psychological distress.

Intentional misuse — harassment, malware or weapons instructions, non-consensual intimate content, fraud or deception.

Adversarial attacks — jailbreaking (bypassing safety measures), prompt injection (hijacking the system), data exfiltration (extracting training data or system prompts).

11.2 Safety Test Cases

The golden set includes cases that probe each threat category.

  • Known jailbreaks — does the system resist documented attack patterns?
  • Prompt injection attempts — does the system maintain its intended behavior when users try to override it?
  • Boundary probes — requests close to harmful but not quite; verify consistent policy enforcement.
  • Sensitivity tests — medical, legal, political, religious topics requiring careful handling.

11.3 Safety Metrics

Reported per AILuminate harm category (§3.2.6) and as aggregates:

  • Attack success rate — how often adversarial inputs elicit prohibited behavior.
  • False refusal rate — how often benign requests are incorrectly refused.
  • Policy compliance rate — adherence to specific content policies.
  • Severity distribution — not just whether failures occur, but how severe.

12. Implementation Considerations

12.1 Starting Small: the Golden-Eval starter-v1 reference run

The framework ships with a concrete, runnable starter configuration that demonstrates the methodology end-to-end without requiring a custom golden set or rubric.

Starter golden set (starter-v1). 30 cases across 9 categories: happy_path, ambiguous, adversarial, refusal_required, code_generation, format_compliance, reasoning, rag, bias_probe. Sized deliberately small so a full evaluation completes in minutes and costs cents, but stratified across categories so the result surfaces real differences between models.

Starter rubric (starter-v1). Six dimensions selected for high signal at low cost:

  • CORRECTNESS (LLM-judge, three-point)
  • SAFETY (rule + LLM-judge rollup, binary)
  • INSTRUCTION_FOLLOWING (LLM-judge, three-point)
  • COHERENCE (LLM-judge, three-point)
  • LATENCY_BUDGET (rule-based, binary; SLA = p95 < 5s)
  • COST_EFFICIENCY (rule-based, continuous)

Reference run. 2 models × 30 cases = 60 evaluations, completed in under 10 minutes for approximately $0.008 in API spend. The run produces a populated leaderboard, Elo / Bradley-Terry / TrueSkill rankings with bootstrap CIs, a quality × cost × latency Pareto report, and AILuminate per-category safety breakouts.

This is the operational floor. From here, expansion follows the priority order in §12.2.

12.2 Scaling Up

Expand in priority order:

  1. Increase golden set coverage based on production gaps.
  2. Add automated judging coverage to reduce human evaluation burden.
  3. Implement production monitoring for real-time quality signals.
  4. Refine gates based on observed variance and importance.
  5. Build dashboards and reporting for organizational visibility.

12.3 Anti-Patterns

Golden set rot — the test set stops reflecting real usage. Combat with regular review and production-driven additions.

Threshold calcification — gates set once and never adjusted. Combat with regular calibration against user experience.

Metric tunnel vision — teams optimize for measured metrics at the expense of unmeasured quality. Combat with regular human evaluation and user feedback integration.

Evaluation theatre — evaluations run but results are ignored. Combat with hard gates and accountability for failures.

Single-metric reporting — collapses quality, cost, and latency onto one axis and produces wrong selection decisions. Combat with the Pareto frontier (§8).

Point-estimate gating — gates pass/fail on a noisy point estimate. Combat with bootstrap CIs and INDETERMINATE gate verdicts (§6.6).

Construct drift — a dimension's operationalization slowly diverges from its claimed target. Combat with the construct-validity framework (§3.5) and routine validity-gap re-assessment.

13. Conclusion

Evaluation is not a phase of AI development; it is an ongoing discipline. The goal is not to prove that the system is good but to understand how it behaves, where it fails, and whether it is improving — with appropriate honesty about uncertainty and validity.

A standardized evaluation framework provides the structure for that understanding. The golden set captures what you care about. The rubric defines how you measure it, with explicit construct-validity discipline. The harness makes measurement repeatable across providers and time. Judging turns outputs into scores, with the judge itself validated against humans. Gates enforce standards while respecting uncertainty. Monitoring catches what testing missed. The integrity layer detects the cheating that consequential benchmarks always attract. The Pareto view ensures selection decisions are made on the right axes.

Built well and maintained seriously, this transforms AI quality from an aspiration into an engineering discipline, and meets the standard NIST CAISI calls for: measurements that articulate what they measure, qualify what they claim, and report uncertainty honestly.

Appendix A: Glossary

Golden Set — A curated, versioned collection of test cases used as the reference for evaluation.

Rubric — A structured scoring guide that defines how to evaluate responses across multiple dimensions.

Harness — The infrastructure that executes test cases, captures results, and manages evaluation runs.

Gate — A threshold condition that must be met before a change can be released.

Shadow Evaluation — Running the golden set against the production system on a schedule to detect drift.

Groundedness — The degree to which claims in a response are supported by provided context.

Hallucination — Claims in a response that are not supported by evidence or context.

LLM-as-Judge — Using a language model to evaluate the outputs of another language model.

Construct Validity — The degree to which a testing procedure actually measures the concept it claims to measure (NIST CAISI §I-A).

Pareto Frontier — The set of models for which no other evaluated model is at least as good on every axis and strictly better on at least one.

Solution Contamination — Evaluation cheating in which the model accesses information that improperly reveals task answers (NIST CAISI).

Grader Gaming — Evaluation cheating in which the model exploits gaps in the automated scorer without fulfilling the intended task (NIST CAISI).

Retrieval-Augmented Generation (RAG) — A system that retrieves relevant documents and uses them to inform generation.

NIST Center for AI Standards and Innovation (CAISI). Open Questions in AI Measurement Science. — Primary source for the construct-validity, uncertainty-quantification, LLM-as-judge validation, and evaluation-cheating frameworks adopted in this document.

NIST AI 600-1 (2024). Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. — Cross-cutting risk taxonomy for generative AI systems; informs the safety dimensions and governance structure.

MLCommons (2024). AILuminate v1.0 AI Safety Benchmark. https://mlcommons.org/benchmarks/ailuminate/ — Source of the ten-category harm taxonomy implemented in §3.2.6.

Liang, P., et al. (2022). Holistic Evaluation of Language Models (HELM). Stanford CRFM. — Multi-dimensional evaluation methodology and the case for reporting along many axes simultaneously.

Hendrycks, D., et al. (2021). Measuring Massive Multitask Language Understanding (MMLU). — Benchmark design at scale and the limits of multiple-choice capability assessment.

Papineni, K., et al. (2002). BLEU: A Method for Automatic Evaluation of Machine Translation. — Historical foundation for automated evaluation metrics.

Lin, C.-Y. (2004). ROUGE: A Package for Automatic Evaluation of Summaries. — Foundational summarization evaluation metric.

Zheng, L., et al. (2023). Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena. — Empirical analysis of LLM-as-judge reliability and bias.

Bai, Y., et al. (2022). Training a Helpful and Harmless Assistant with Reinforcement Learning from Human Feedback. Anthropic. — Reference for the helpful-harmless trade-off underlying refusal-accuracy methodology.