AI Safety Evaluation Frameworks Compared: HELM, Inspect, OpenAI Evals, lm-eval-harness, JailbreakBench, HarmBench, MLCommons AILuminate, and HF Leaderboard — Real Trade-offs (2026)

**HELM** (Holistic Evaluation of Language Models) from Stanford CRFM is the original 'measure everything' framework. The published methodology at https://crfm.stanford.edu/helm/ covers accuracy, calibration, robustness, fairness, bias, toxicity, and efficiency across 200-plus scenarios. The strength is breadth — if a model lab wants to make a public claim about safety or capability, HELM is the standard reference. The weakness is operational cost: a full HELM run against GPT-5 can consume millions of tokens and several hundred dollars in API spend per cycle. HELM was designed for periodic publication, not for in-loop CI gating.

**Inspect** is the UK AI Safety Institute's open-source eval framework, released in 2024 and now used by both the UK and US AI Safety Institutes for pre-deployment frontier model reviews. The project at https://inspect.aisi.org.uk/ is purpose-built for agent evaluation — multi-turn scaffolds, tool use, sandboxed execution, human-in-the-loop scoring, and structured JSON logs. If you are evaluating a model that calls tools, browses, writes code, or operates over multiple turns, Inspect is the most production-ready harness on the market. The framework is also the closest thing to a 'standard' that government safety institutes will accept for regulatory submissions.

**OpenAI Evals** at https://github.com/openai/evals is the original lightweight template registry — YAML files that define a prompt, a scoring function, and an expected output. The framework was open-sourced in 2023 and has roughly 250 community-contributed evals in the registry. The strength is simplicity: any engineer can add an eval in under an hour. The weakness is that OpenAI has shifted internal evaluation focus to private internal harnesses, and the public registry has not seen a major architectural update in over a year. Treat it as a useful starting point for custom evals, not as a benchmark standard.

**EleutherAI's lm-evaluation-harness** at https://github.com/EleutherAI/lm-evaluation-harness is the academic workhorse — over 400 tasks including MMLU, BBH, TruthfulQA, GSM8K, ARC, HellaSwag, and most of the benchmarks you see on model cards. It is the canonical scorer behind the Hugging Face Open LLM Leaderboard and the majority of published model evaluations in 2025-2026. If your engineering team needs to reproduce a published score exactly, lm-eval-harness is the tool. The weakness is that the safety-specific coverage is thinner than HELM's — TruthfulQA, ToxiGen, CrowS-Pairs, BBQ, and ETHICS are included, but agent-grade safety scaffolds are not.

**JailbreakBench** at https://jailbreakbench.github.io/ and **HarmBench** at https://www.harmbench.org/ are adversarial robustness suites. JailbreakBench provides a curated set of behaviors plus an attack/defense leaderboard with attack success rate (ASR) as the headline metric. HarmBench takes a similar approach with broader behavioral coverage — chemical, biological, cyber, copyright, and harassment categories — and includes an automated red-team evaluator. Both are research-grade artifacts. Engineering teams use them for regression testing rather than for procurement decisions; the official ASR numbers are also the most cited adversarial benchmarks in the 2025-2026 academic literature.

**MLCommons AILuminate** at https://mlcommons.org/benchmarks/ailuminate/ is the industry consortium's answer to 'we need a standardized safety grade.' The v1.0 benchmark covers 12 hazard categories with roughly 12,000 prompts, and models are graded on a Poor / Fair / Good / Very Good / Excellent scale. The grading is done by MLCommons rather than self-reported, which is the strategic moat — if you submit a model, you receive an official grade card you can hand to procurement or compliance. The **Hugging Face Open LLM Leaderboard** at https://huggingface.co/spaces/open-llm-leaderboard/open_llm_leaderboard is the public capability scoreboard for open models, run on lm-eval-harness and refreshed continuously. Use it for open-weight model selection, not for safety claims.

**HELM** ships as a Python library with a CLI runner. You configure a YAML run spec, point it at a model endpoint (OpenAI, Anthropic, Google, or a local vLLM server), and it executes the scenario suite, writes JSON results, and renders an HTML leaderboard. The architecture is monolithic — HELM owns the scenario, the prompt formatting, the metric, and the report. This is great for benchmark publication and brutal for in-loop CI. The project at https://github.com/stanford-crfm/helm publishes a clean Python API, but most teams adopting HELM run it on a nightly schedule rather than per-commit.

**Inspect** is the architectural opposite — a thin Python SDK with first-class primitives for tasks, solvers, scorers, and sandboxes. You write a task as a Python file, register it, and run it against any provider (OpenAI, Anthropic, Google, Bedrock, vLLM, Together). The structured JSON log format is designed for piping into observability tools, and the official log viewer at https://inspect.aisi.org.uk/ renders interactive trace exploration. Inspect's bet — that evals belong in your codebase next to your application code — is the right architectural bet for production AI teams in 2026.

**OpenAI Evals** uses YAML registry files plus optional Python custom evals. The CLI runner reads the registry, hits the model API, and writes JSON lines per sample. Integration with CI is straightforward — `oaieval` is a single shell command — but the framework does not have first-class support for multi-turn agent scaffolds or tool use. If your evals are simple prompt-in / completion-out checks, OpenAI Evals is the lowest-friction option. Anything more complex and you outgrow it.

**lm-evaluation-harness** uses a Python task registry with templated prompts. The CLI runner `lm_eval --model hf --tasks mmlu,truthfulqa_mc --device cuda` is the academic default. It supports OpenAI, Anthropic, HuggingFace local models, vLLM, and most major providers. The output format is JSON plus a CSV summary, and the project ships first-class Hugging Face Hub integration so you can push results directly to a leaderboard. CI integration is common in the open-model community — most Llama, Mistral, and Qwen forks run lm-eval-harness on every checkpoint release.

**JailbreakBench** and **HarmBench** ship as research repos. JailbreakBench provides a Python harness for running attacks and defenses, plus a public leaderboard at https://jailbreakbench.github.io/. HarmBench's harness at https://github.com/centerforaisafety/HarmBench includes an automated classifier (HarmBench-Llama-2-13b-cls) for scoring whether a model output is harmful. Wiring either into CI requires custom glue — the projects assume you are running them as research experiments, not as gating checks on every PR. For a production red-team CI, expect to write 200-400 lines of wrapper code.

**MLCommons AILuminate** is unusual — you do not run AILuminate yourself for the official grade. You submit your model endpoint (or weights for local evaluation) to MLCommons, and they run the private test set and return a grade card. A public practice set at https://mlcommons.org/benchmarks/ailuminate/ lets you test your harness wiring and get a directional grade, but the canonical grade requires submission. This is the right design for compliance — vendors cannot self-grade — but the wrong design for in-loop CI. Use AILuminate for periodic external grading, not for per-commit checks.

**HELM's safety coverage** is the broadest of the general-purpose frameworks. The published taxonomy at https://crfm.stanford.edu/helm/ includes BBQ (bias in question answering), TruthfulQA (hallucination resistance), RealToxicityPrompts (toxicity generation under provocation), DecodingTrust (an aggregated trustworthiness benchmark), MMLU-Pro (knowledge), and fairness scenarios across demographic axes. Calibration is also measured — how often the model's confidence matches its accuracy — which most other frameworks treat as out-of-scope. The HELM Safety subset, introduced in 2024, packages the safety scenarios as a runnable subset for teams that do not need the full capability suite.

**Inspect's safety coverage** is the most production-relevant for agent systems. The UK AISI maintains first-party tasks for cyber capability (autonomous exploitation, CTF challenges), biological risk (uplift on dangerous synthesis instructions), persuasion (effectiveness of model-generated persuasive content), and agentic harm (whether a model agent will pursue harmful goals when given tools). The agent-grade scaffolds make Inspect uniquely suited for evaluating models with tool access, code execution, or browser control — the safety surface that matters most in 2026. Documentation at https://inspect.aisi.org.uk/ includes worked examples for each.

**lm-evaluation-harness safety tasks** include TruthfulQA-MC (multiple choice hallucination), ToxiGen (implicit hate speech detection), CrowS-Pairs (stereotyping), BBQ (bias under ambiguity), and ETHICS (moral reasoning). The coverage is more shallow than HELM's but the implementations are the same ones used in academic publications, which makes them the right choice for reproducibility. If you need a TruthfulQA score that matches the original paper exactly, lm-eval-harness is the source of truth.

**JailbreakBench's coverage** is depth-over-breadth. The benchmark defines roughly 100 harmful behaviors (build a bomb, write a phishing email, generate disinformation), plus attack methods (PAIR, GCG, DAN-style prompts, transfer attacks) and defense methods (system prompts, perplexity filtering, paraphrasing). The headline metric is attack success rate (ASR) — what fraction of behaviors a given attack can elicit on a given model. As of June 2026, the leaderboard at https://jailbreakbench.github.io/ shows GPT-5 and Claude Opus 4.7 with materially lower ASR than open Llama 4 variants under the same attack budget — verify current numbers before citing them.

**HarmBench's coverage** is broader than JailbreakBench — eight high-risk categories including chemical/biological harm, cyber harm, copyright, misinformation, harassment, illegal activities, and human trafficking. The included Llama-2 classifier scores model outputs as harmful or refused without requiring human review, which makes large-scale automated evaluation feasible. The HarmBench paper at https://www.harmbench.org/ reports systematic findings: simple jailbreak attacks transfer across models more than the model labs' marketing suggests, and defense techniques degrade benign capability measurably. Use HarmBench when you need to test specific harm categories your application could surface.

**MLCommons AILuminate v1.0 hazard categories** include violent crimes, non-violent crimes, sex-related crimes, child sexual exploitation, defamation, specialized advice (medical/legal/financial), privacy, intellectual property, indiscriminate weapons, hate, suicide/self-harm, and sexual content. The grading methodology at https://mlcommons.org/benchmarks/ailuminate/ uses a private prompt set graded by a panel of evaluator models, with the Poor-to-Excellent scale calibrated against a reference frontier model. The strength is procurement defensibility — 'we are AILuminate Good in all 12 hazard categories' is a real claim that survives an enterprise security review. The weakness is that the grade can lag your model — a refresh between AILuminate cycles is not graded until the next cycle.

If you are a frontier AI lab preparing for a pre-deployment safety review with the UK or US AI Safety Institute, the answer is **Inspect**. It is the institute's own framework, the scaffolds are the ones the safety teams know how to read, and the JSON log format integrates with the review tooling. Even if your internal preference is HELM or a custom harness, you will produce Inspect logs for the regulator. Per https://inspect.aisi.org.uk/ the framework is also actively maintained by the same teams running the reviews, which matters when you need a specific scaffold added on a tight timeline.

If you are an open-model team (Llama fork, Mistral fine-tune, Qwen variant) and your goal is public leaderboard parity, the answer is **lm-evaluation-harness**. The Hugging Face Open LLM Leaderboard at https://huggingface.co/spaces/open-llm-leaderboard/open_llm_leaderboard runs on lm-eval-harness, and the academic publications you will be compared against use the same harness. Wire it into CI on every checkpoint, push results to the Hub, and you have apples-to-apples comparability with every other open model.

If you are an applied AI engineering team shipping production agents (RAG, customer support, internal copilots) and your priority is gating dangerous regressions, the right stack is **Inspect** for agent-grade safety scaffolds plus **JailbreakBench** or **HarmBench** for adversarial regression. Run Inspect on the safety scaffolds that match your product surface (tool use, code execution, retrieval) and run JailbreakBench on a quarterly schedule to catch jailbreak regressions in new model checkpoints or system prompt changes. For inference cost planning, the Claude API cost calculator and the GPT-5 cost calculator will keep your eval budget honest.

If you are an enterprise procurement or risk team evaluating which third-party model to license, the right artifact is the **MLCommons AILuminate** grade card. The official grade survives compliance review in a way that 'the vendor self-reported a 92% safety pass rate' never will. The AILuminate program at https://mlcommons.org/benchmarks/ailuminate/ also publishes graded results for major commercial models on a recurring basis — use those for vendor comparison before going to RFP.

If you are a research team publishing a new model and you need a marketing benchmark headline, the answer is **HELM** plus **lm-evaluation-harness**. HELM gives you the broad cross-axis comparison chart that every paper now includes; lm-eval-harness gives you the per-task scores other papers will use to compare against you. Running both is expensive — a full HELM plus lm-eval run against a 70B model can take 24-48 hours on an 8xH100 node — but it is the publication standard.

If you are a small team iterating quickly on a custom prompt-based product and you need lightweight evals in your dev loop, **OpenAI Evals** is still the right tool. YAML-defined evals you can write in 15 minutes, a CLI you can wire into GitHub Actions in another 15 minutes, and a registry you can browse for inspiration. For complex agent evaluations Inspect is better, but for 'does this new prompt regress on my 50-prompt golden set' OpenAI Evals is hard to beat.

A full **HELM Core** run against GPT-5 in 2026 consumes roughly 8 to 12 million input tokens and 1 to 2 million output tokens across the 200-plus scenarios. At published OpenAI list pricing for GPT-5, that lands at approximately $500 to $2,000 per full run depending on which scenarios you enable. The HELM Safety subset is materially cheaper — roughly 1 to 3 million tokens per run, $50 to $300 in API spend. Most teams running HELM in production cache prompts aggressively and run only the deltas on each cycle, which cuts the bill 60 to 80 percent over the naive replay. Model the spend with the GPT-5 cost calculator before signing off on a HELM cadence.

**Inspect** cost scales with the scaffold complexity, not the framework. A single-turn safety scaffold on 500 prompts against Claude Opus 4.7 lands at roughly $20 to $80 in API spend. A multi-turn agentic scaffold with 10-turn tool use on 200 tasks can hit $200 to $800 per run because each turn multiplies the context. The cost-per-run is bounded by your scaffold design, which means you can tune it — most production teams run a small Inspect 'safety smoke test' on every commit and a full Inspect safety suite nightly. Verify current model pricing at https://openai.com/api/pricing/ and https://www.anthropic.com/api before locking in a cadence.

**lm-evaluation-harness** cost is task-dependent. A full MMLU run is roughly 250,000-300,000 tokens against any provider — cheap. A full TruthfulQA-MC run is under 100,000 tokens — very cheap. The expensive tasks are the generation-based scorers (TruthfulQA generative, GSM8K, BBH-Hard) which can push 1-3 million tokens for the full suite. Running the entire harness against a frontier model costs roughly $300 to $1,500. Most teams cherry-pick the 20-40 tasks that matter for their use case rather than running the full 400.

**JailbreakBench** is the cheapest harness on this list — roughly 100 behaviors times 5-20 attack variants each, with short outputs scored by a Llama-2 judge. A full run against any model lands well under $20 in API spend, and the attack iteration is fast enough to run on every model checkpoint or system prompt change. This is the right place to spend your adversarial regression budget — high-signal, low-cost, runnable per-PR.

**MLCommons AILuminate** cost depends on whether you use the public practice set or submit for the official grade. The practice set at https://mlcommons.org/benchmarks/ailuminate/ is roughly 1,500 prompts and costs $20 to $80 to run against GPT-5 or Claude Opus 4.7. The official grade submission uses a private 12,000-prompt set, and MLCommons handles the inference — the cost to the submitting org is the program fee, which for members runs in the low-five-figures annually. Non-members can submit on a per-model fee basis. Verify the current fee schedule with MLCommons directly before budgeting.

The hidden eval cost most teams underestimate is judge inference. Many safety evals — HarmBench, JailbreakBench, several Inspect scaffolds — score outputs by calling a separate judge model. That judge call is real API spend, and on frontier-grade judges (GPT-5 used as a HarmBench replacement scorer, for example) the judge cost can exceed the candidate-model cost. Budget for it. The RAG cost per query calculator is a useful reference for layered LLM calls — the same arithmetic applies to eval pipelines that chain a candidate generation with a judge scoring step.

The realistic eval CI pattern in 2026 has three tiers: per-PR smoke tests (under 60 seconds), nightly regression suites (under 2 hours), and quarterly publication runs (full HELM or full lm-eval-harness). The per-PR tier should run on every change to prompts, system messages, retrieval configs, or model versions. **Inspect** is purpose-built for this — the JSON log format is parseable in GitHub Actions and the CLI returns nonzero on failed assertions. A 50-prompt safety smoke test on Claude Opus 4.7 completes in 30-60 seconds and costs under a dollar.

**OpenAI Evals** also works well for the per-PR tier. The `oaieval` CLI is one shell command, the JSON output is straightforward to assert against in CI, and the YAML registry format makes it easy for non-engineers to add new evals when product or compliance surfaces a new requirement. The trade-off is that OpenAI Evals does not handle multi-turn agent scaffolds gracefully — if your product is an agent, use Inspect at the per-PR tier instead.

**lm-evaluation-harness** is the right tool for the nightly regression suite, especially for open-model teams. The CLI runs all 400 tasks unattended, writes JSON results, and integrates with the Hugging Face Hub for trend tracking. Wire it into a nightly GitHub Actions job pointing at your latest checkpoint, push results to a Hub dataset, and you have a clean longitudinal view of capability and safety regressions. Most open-model teams have automated this end-to-end by late 2025.

**HELM** is the wrong tool for in-loop CI in 2026 — the framework was designed for periodic publication, the run cycle is hours-to-days, and the cost per run is too high to gate every PR. Use HELM on a quarterly cycle for marketing-facing benchmark publication, not for engineering quality gates. If you need 'HELM-style' broad coverage in CI, pick a subset of HELM scenarios (Safety, TruthfulQA, BBQ) and re-implement them in Inspect or lm-eval-harness for the per-PR tier.

**JailbreakBench** integrates well with the per-PR or per-checkpoint tier for adversarial regression. The full attack/defense run is fast enough (under 10 minutes on a frontier-grade judge) and cheap enough (under $20) to run on every meaningful change. Most production teams gate merges on 'attack success rate has not increased by more than 2 percentage points from main' rather than on absolute thresholds — frontier models have residual ASR even at the safety frontier, and a hard 0 percent gate will block every PR.

**MLCommons AILuminate** does not fit CI at all — the grading cycle is monthly to quarterly, not per-commit. Treat it as a marketing and compliance artifact rather than an engineering gate. The right integration pattern is to publish your AILuminate grade prominently on your model card and procurement materials, and refresh it on each major model version. For per-commit safety gating, run Inspect or HarmBench instead.

Some platform teams ask whether they can skip the eval harness entirely and rely on the model provider's native moderation — OpenAI's Moderation endpoint, Anthropic's Constitutional Classifier outputs, or Google's safety filters. For pure content moderation in production traffic, those APIs are reasonable. OpenAI's Moderation endpoint at https://platform.openai.com/docs/guides/moderation is free and fast. Anthropic's safety system prompts at https://www.anthropic.com/safety are baked into Claude by default. But native moderation is a runtime guardrail, not an evaluation framework. It tells you 'this response should be blocked' — it does not tell you 'this model is 15 percent more likely to comply with a jailbreak than the previous version.'

The case for buying a managed eval service rather than running an open-source harness is real for some teams. Vendors like Patronus AI, Arize Phoenix, Braintrust, and Langfuse offer hosted eval pipelines with dashboards, longitudinal tracking, and judge model orchestration. Hosted eval pricing typically lands at $0.10 to $1.00 per evaluation depending on judge complexity, which means a 1,000-prompt eval set costs $100 to $1,000 per run plus the candidate model API spend. For teams that do not want to maintain CI infrastructure or judge models, this is a reasonable trade.

The case for building on top of the open harnesses is much stronger for any team running evals at meaningful scale. Inspect plus lm-eval-harness plus JailbreakBench gives you full control over what is measured, how it is judged, and how the results flow into your observability stack. The engineering investment is real — figure 2-4 engineering weeks for initial wiring, plus ongoing maintenance as the harnesses evolve — but the marginal cost per eval is just the API spend. For any org running more than a few thousand evals per month, the build math wins.

Where build-vs-buy gets nuanced is the judge model. Running HarmBench's Llama-2-13b-cls judge yourself requires GPU infrastructure (or vLLM on Together / Replicate), which adds operational complexity. Using GPT-5 or Claude Opus 4.7 as a judge is simpler but more expensive — judge calls can easily exceed candidate calls in cost. The pragmatic middle ground in 2026 is to use a smaller open judge (HarmBench-Llama-2-13b-cls, Llama Guard 3, ShieldLM) hosted via Together AI or Fireworks for high-volume scoring, and reserve frontier judges for sampling and audit.

The hybrid pattern that works in 2026: **Inspect** for the agent-grade and safety-specific per-PR gating, **lm-eval-harness** for the nightly broad capability regression, **JailbreakBench** for the quarterly adversarial robustness check, and **MLCommons AILuminate** for the annual procurement-facing grade card. Skip HELM unless you are publishing a paper or making a marketing claim. Skip OpenAI Evals unless your evals are simple prompt-completion checks. This stack costs roughly 4-6 engineering weeks to deploy and roughly $2,000 to $8,000 per month in API spend at modest scale.

The bottom line on build-vs-buy: the harness is not the moat. The eval set, the judge calibration, the regression detection logic, and the integration with your release process — that is the durable engineering work. If you are a 200-engineer R&D org with a real strategic reason to own the stack, build on the open harnesses. If you are a 10-person AI feature team without dedicated platform engineers, a managed eval service plus the model provider's native moderation is the right starting point.

If I were standing up an eval program tomorrow for a frontier AI application team, the default stack would be **Inspect** plus **lm-evaluation-harness** plus **JailbreakBench**, with **MLCommons AILuminate** submitted annually for the procurement-facing grade. Inspect handles agent-grade safety scaffolds in the per-PR tier. lm-eval-harness handles broad capability regression nightly. JailbreakBench handles adversarial robustness quarterly. AILuminate handles the external compliance artifact. Combined API spend at modest scale is $3,000 to $8,000 per month, and the engineering investment is roughly 4-6 weeks to deploy. Verify framework status at https://inspect.aisi.org.uk/, https://github.com/EleutherAI/lm-evaluation-harness, https://jailbreakbench.github.io/, and https://mlcommons.org/benchmarks/ailuminate/.

If I were on a tighter budget and could only deploy one harness, I would deploy **Inspect**. It covers more of the modern AI safety surface — agentic harm, tool use, multi-turn — than any other framework on this list, and the structured logs are useful for both engineering CI and external compliance review. The UK and US AI Safety Institute backing is a meaningful signal of long-term maintenance. The only reason to pick something else as your single harness is if you are an open-model team chasing leaderboard parity, in which case lm-evaluation-harness is the right pick.

If I were running a research team publishing benchmarks, I would run **HELM** plus **lm-evaluation-harness**. HELM for the cross-axis publication chart, lm-eval-harness for the per-task numbers other papers will compare against. Both on a quarterly cycle, both fully cached, both with the run configuration committed in the paper's repo so reviewers can reproduce. Do not bother with Inspect for pure publication unless your paper is about agent safety specifically.

If I were running a procurement or vendor risk team, the only artifact I would weight heavily is **MLCommons AILuminate**. The vendor-graded model means the grade survives RFP scrutiny. Treat self-reported HELM or lm-eval numbers from vendors with appropriate skepticism — labs publish the runs that look good. AILuminate's private test set and external grading is the closest thing to an objective standard in 2026.

The one thing I would not do in 2026 is run **OpenAI Evals** as my primary safety harness. The registry is useful, the YAML format is friendly, but the framework has been outpaced by Inspect on capability and by lm-eval-harness on benchmark coverage. Use OpenAI Evals as a starter kit for custom prompt evals and graduate to Inspect when you outgrow it. Verify current project status at https://github.com/openai/evals before assuming the situation has changed.

The other thing I would not do is rely on a single number — 'we are 94% safe' — for any external claim. Modern eval programs report breakdowns: ASR by attack family, hazard scores by category, calibration error by domain, refusal rates by intent. If a vendor or internal team reports a single safety percentage and nothing else, they are either inexperienced or marketing. Real safety evaluation in 2026 is a matrix, not a number. For the model selection side of the same decision, LLM jailbreak prevention 2026 and AI bias evaluation tools 2026 cover the adjacent tooling.