The AI Safety Index 2026 arrived on July 7 with a blunt headline: the best safety grade any frontier AI lab could earn is a C+. The Future of Life Institute’s Summer 2026 edition scores nine leading AI companies across 37 indicators in six domains, and Anthropic tops the field at 2.66 on a roughly 4.0-point scale — a grade most universities would put on academic probation.
The press coverage has focused on the drama — OpenAI slipping a letter tier, xAI falling to an F, all four leading labs walking back earlier pause pledges. What almost nobody has written is the part that matters if you sit on the buying side: what a lab-level safety grade actually tells you when you’re selecting an AI vendor, and — just as important — what it structurally cannot.
This readout covers the published grades exactly as FLI issued them, the two-edition trend, the pledge-walkback findings, the methodological dispute raised by the open-weight labs, and a domain-by-domain map that translates the index’s six categories into the procurement risks they most closely resemble. The enterprise-buyer lens is our synthesis, not FLI’s framing — the institute writes for policymakers and the public, not procurement teams.
- 01Nobody breaks C+.Anthropic leads the Summer 2026 index at C+ (2.66), with OpenAI (C, 2.28) and Google DeepMind (C, 2.01) behind. xAI, DeepSeek, and Mistral fail — one lab each from the US, China, and Europe.
- 02The index grades labs, not deployments.FLI explicitly evaluates nine companies — their policies, disclosures, and governance — not specific deployed products. A C+ says nothing about whether your specific model, configuration, and contract meet your bar.
- 03All four leaders weakened pause pledges.Anthropic, OpenAI, Google DeepMind, and Meta have all weakened or voided earlier commitments to pause if risk thresholds were approached — reviewers described it as moving the goalposts.
- 04Existential safety is the weakest domain everywhere.No company scored better than C− on existential safety, and most scored D or below. The single best grade in the domain is Anthropic’s D+.
- 05Open-weight vendors dispute the framework.Mistral argues the index structurally penalizes open-weight release models, where the deploying enterprise — not the lab — controls fine-tuning and safety controls. For buyers, that is a real methodological nuance, not just spin.
01 — The GradesNine labs, one C+, three failures.
The Future of Life Institute published the Summer 2026 AI Safety Index on July 7, 2026, grading nine leading AI companies on evidence collected through June 3. Anthropic took the top overall grade at C+ (2.66), leading five of the six domains. OpenAI followed at C (2.28) — it now leads the Risk Assessment domain on the strength of a broader evaluation suite and external-testing engagement — with Google DeepMind third at C (2.01). Meta improved to D+ (1.32). Z.ai (0.88) and Alibaba Cloud (0.87) landed at D−, and three labs received failing grades: xAI (0.65), DeepSeek (0.47), and Mistral (0.33) — one company each from the US, China, and Europe.
Overall scores · FLI AI Safety Index, Summer 2026
Source: Future of Life Institute, AI Safety Index Summer 2026 (Jul 7, 2026). Bars show each overall score as a share of the ~4.0-point scale.02 — MethodologyHow the index is built — and what feeds it.
Before citing any grade in a vendor-selection memo, it’s worth knowing exactly what produced it. The index grades each company on 37 indicators grouped into six domains: Risk Assessment, Current Harms, Safety Frameworks, Existential Safety, Governance & Accountability, and Information Sharing. Seven outside expert reviewers assign the grades — the panel includes UC Berkeley professor Stuart Russell, University of Montreal professor David Krueger, and HEC Montréal professor Tegan Maharaj.
The evidence base is a mix of a company survey and public materials. Only five of the nine companies completed FLI’s survey — Alibaba, xAI, DeepSeek, and Mistral did not respond — so those four labs’ grades rest entirely on public policies, research, reporting, and disclosures. That matters for interpretation: a non-responding lab with strong internal-but-unpublished practices would be graded on the thinner public record.
Across six domains
Risk Assessment, Current Harms, Safety Frameworks, Existential Safety, Governance & Accountability, and Information Sharing — with evidence collected through June 3, 2026.
Independent expert graders
Outside reviewers assign the grades, including Stuart Russell (UC Berkeley), David Krueger (University of Montreal), and Tegan Maharaj (HEC Montréal).
Labs completed FLI’s survey
Alibaba, xAI, DeepSeek, and Mistral did not respond. Their grades are built from public policies, research, reporting, and company disclosures alone.
One scope note that shapes everything downstream: FLI states the index “Evaluates 9 leading AI companies (not specific deployments) across 37 indicators.” That parenthetical is the most buyer-relevant clause in the whole report, and Section 05 is devoted to it.
03 — The TrendWinter 2025 to Summer 2026: mostly downward drift.
FLI publishes the index twice a year, which allows a same-lab trend read. The table below compares the two most recent editions — Winter 2025 (published December 2025) and Summer 2026 — using FLI’s published overall grades and scores for both. The pattern is hard to miss: seven of the eight labs graded in both editions scored lower in Summer 2026, and only Meta moved meaningfully up.
| Lab | Winter 2025 | Summer 2026 | Score change | Read |
|---|---|---|---|---|
| Anthropic | C+ · 2.67 | C+ · 2.66 | −0.01 | Holds first place; leads 5 of 6 domains |
| OpenAI | C+ · 2.31 | C · 2.28 | −0.03 | Drops a letter tier; now leads Risk Assessment |
| Google DeepMind | C · 2.08 | C · 2.01 | −0.07 | Third place in both editions |
| Meta | D · 1.10 | D+ · 1.32 | +0.22 | Only meaningful riser: 6th up to 4th |
| Z.ai | D · 1.12 | D− · 0.88 | −0.24 | Slips below the D line |
| Alibaba Cloud | D− · 0.98 | D− · 0.87 | −0.11 | Static near the bottom of the D band |
| xAI | D · 1.17 | F · 0.65 | −0.52 | Sharpest fall: 4th down to 7th |
| DeepSeek | D · 1.02 | F · 0.47 | −0.55 | Second failing grade |
| Mistral | Not yet rated | F · 0.33 | New entrant | Lowest score of the nine; disputes the framework |
Three movements deserve a second look. OpenAI’s slip from C+ to C is small numerically (−0.03) but crosses a letter boundary the headlines amplified. xAI’s fall is the steepest — from D (1.17, 4th place) to F (0.65, 7th) in six months. And Meta’s rise from D to D+ (6th to 4th) is the edition’s only encouraging signal; FLI president Max Tegmark told TIME, “It’s encouraging to me that a company can improve so much in just six months.”
A dated footnote for anyone cross-referencing the table: xAI formally rebranded to SpaceXAI on July 6, 2026 — one day before the index published — following its merger into SpaceX. The index still lists the row as “xAI” because its evidence window closed June 3, before the rename. The Grok chatbot brand was unaffected.
04 — The WalkbacksThe story under the grades: weakened pledges.
The finding that drove most of the coverage isn’t any single grade — it’s the direction of travel on commitments. Per the index and its reviewers, Anthropic, OpenAI, Google DeepMind, and Meta have all weakened or voided earlier pledges to pause development unilaterally if specified risk thresholds — “redlines” — were approached. Reviewers characterized this as “moving the goalposts,” saying it “undermined safety frameworks across the board.”
Even the top-graded lab is part of the pattern. In February 2026, Anthropic dropped its pledge to never train a system unless it could guarantee in advance that its safety measures were adequate — a reversal the index panel recommended undoing. And from 2024 to 2026, Anthropic, OpenAI, Google DeepMind, and Meta — all of which previously banned military applications of their models — gradually reversed course and began actively seeking defense partnerships, joining xAI and Mistral, which never had such bans.
"Companies have backed away from earlier commitments to release new systems only with safety measures appropriate for their capability levels."— Stuart Russell, AI Safety Index expert reviewer
Fellow reviewer David Krueger was blunter still, calling AI companies’ “lack of progress towards credible AI Safety plans” scandalous. For a buyer, the practical translation is this: a vendor’s published safety framework is a living document that can be weakened after you sign. If a specific commitment — an evaluation gate, a deployment threshold, an incident-disclosure promise — matters to your risk posture, it belongs in the contract, not in a bookmark to the vendor’s policy page. The walkback finding also explains why voluntary indices keep pointing at the regulatory landscape these voluntary pledges are meant to pre-empt — self-set redlines have now demonstrably moved at all four leading labs.
05 — The Scope CaveatThe index grades labs, not the thing you deploy.
Here is the clause that should sit at the top of any procurement memo citing these grades: FLI evaluates nine companies — their policies, disclosures, research, and governance — not specific deployed products. A lab-level C+ is not a safety certificate for the particular model version, API configuration, fine-tune, and contract terms your team is actually evaluating. And a lab-level F does not automatically mean a deployment built on that lab’s model is unsafe — the controls may simply live somewhere else in the stack.
The distinction is not academic. A lab can lead the transparency domain while its production systems still force real deployment tradeoffs — Anthropic’s own safety-classifier tradeoffs in production are a concrete example of decisions that surface at the product layer, not the policy layer. Conversely, the controls that most determine whether your deployment is safe — input/output filtering, permission scoping, human-in-the-loop gates, abuse monitoring — are the deployment-level guardrails an index score can’t verify, because they’re built by you, not the lab.
So use the index for what it actually measures: the governance maturity and disclosure posture of the organization behind your vendor. That is genuinely useful — it is the best independent, recurring, comparable read on lab-level behavior that exists right now. It is one input into vendor risk, not a substitute for deployment assurance.
06 — The Open-Weight TensionDoes the methodology penalize open weights?
Mistral — newly added to the index and handed its lowest score — pushed back on the framework itself. In a statement to Axios, the company argued that its open-weight release model gives enterprises, not Mistral, control over fine-tuning, deployment, and safety controls, and that “a handful of companies deciding, behind closed doors, what’s safe for everyone else is a risk” worth weighing too.
Self-serving? Partly. But the underlying point is a real methodological tension buyers should understand. An org-level policy index structurally favors closed-API vendors, who can point to internal governance processes they control end-to-end. It structurally penalizes open-weight vendors, whose safety posture is — by design — delegated to the deploying enterprise. A low index grade for an open-weight lab tells you the lab publishes less safety governance; it does not tell you whether an enterprise that deploys those weights behind its own controls is running a safer or less safe system than one calling a closed API.
The practical consequence: if you’re weighing hosted APIs against open weights, the index helps you compare the closed-API vendors against each other, and it helps you gauge how much safety scaffolding an open-weight choice shifts onto your own team. With a major open-weight release landing this month, that second use is timely — our open-weights adoption readiness checklist covers exactly the controls a deploying team inherits, and the broader open-weight model wave this July means more procurement teams will face this closed-vs-open question in the next two quarters, not fewer.
Comparing hosted-API vendors
This is where the index is most directly useful: the labs control the full safety stack, so lab-level governance grades map more cleanly onto what you’re buying. Still verify the product layer.
Self-hosted or fine-tuned deployments
The lab’s grade matters less; your own controls matter more. Read a low open-weight grade as ‘more safety work lands on us,’ then budget for guardrails, evals, and monitoring accordingly.
Multi-vendor routing
Most enterprises end up here. Use lab grades to set per-vendor review depth — lighter diligence where governance is stronger, deeper independent testing where it’s weak or unrated.
07 — The Buyer MapSix FLI domains, translated into procurement risk.
The index’s six domains come from AI-governance research, not vendor management — so here is the translation layer. For each FLI domain, the table maps what the grade measures at the lab level, the closest buyer-side risk category, and what still has to be verified at the deployment level regardless of the grade. The mapping is Digital Applied’s synthesis; in almost every row, the honest answer in the last column is “verify it yourself.”
| FLI domain | What it grades at the lab | Closest buyer-side risk | Still verify at deployment level |
|---|---|---|---|
| Risk Assessment | How rigorously the lab evaluates dangerous capabilities before release, including external testing | Pre-deployment evaluation coverage for your use case | Run your own red-team and evals on the specific model and workload — a strong lab grade does not test your prompts |
| Current Harms | The lab’s posture on present-day harms and misuse of its deployed systems | Operational and brand harm exposure in production | Deployment-level guardrails, content filtering, and abuse monitoring in your own stack |
| Safety Frameworks | Whether the lab publishes credible scaling and safety frameworks and keeps its commitments | Contractual and SLA-level safety commitments | Read the vendor’s current framework text and negotiate the commitments that matter into the contract |
| Existential Safety | Planning for catastrophic and loss-of-control scenarios from frontier development | Concentration and tail-risk exposure to a single vendor | Multi-vendor routing, tested exit plans, and data portability — no lab grade substitutes here |
| Governance & Accountability | Organizational structure, internal accountability, and whistleblowing culture | Vendor governance maturity | Standard vendor due diligence: incident-response terms, escalation paths, named accountability |
| Information Sharing | Transparency with governments, researchers, and the public about capabilities and incidents | Audit and transparency access | Contractual audit rights, incident-disclosure windows, and model-change notification terms |
Worked example: suppose your shortlist is OpenAI versus Anthropic for an agentic workflow. The index tells you Anthropic leads five of six domains overall while OpenAI leads Risk Assessment — useful color on organizational posture. What it cannot tell you is which vendor’s model behaves more safely on your prompts, with your tools, under your permission model. That comparison only comes from running both against your own evaluation set — the kind of comparative eval and governance program we build in our AI transformation engagements. Pair the lab grade with the deployment audit; never substitute one for the other.
08 — Beyond the IndexOther independent signals worth pairing with the grades.
The FLI index is the most visible lab-level scorecard, but it shouldn’t be the only external signal in a vendor file. This summer, OpenAI and Anthropic separately conducted a joint cross-lab safety evaluation exercise — each running its internal safety and misalignment evaluations against the other’s publicly released models and publishing the results. That’s a lab-initiated transparency mechanism, distinct from the FLI index, and it’s exactly the kind of artifact worth requesting more of in vendor conversations: adversarial, technical, and about actual model behavior rather than policy documents.
Regulation is the other trendline. Tegmark told TIME he is “cautiously optimistic” that regulation can create the race-to-top incentive a voluntary index alone cannot, pointing to the EU AI Act, Chinese AI rules taking effect later in July 2026, and a more risk-conscious US administration. For buyers, the direction is what matters: over the next several cycles, more of what the index grades voluntarily is likely to become auditable compliance surface — which will make lab-level claims easier to verify and harder to quietly walk back.
Our forward read: the index’s real value to enterprises will compound as editions accumulate. One C+ snapshot is trivia; a multi-edition series showing which labs strengthen commitments under scrutiny — and which ones quietly weaken them — is exactly the behavioral signal that predicts how a vendor will treat your deployment when incentives get tight. Governance failures are already a leading driver of stalled AI initiatives — the governance gaps already driving agentic project cancellations rarely start at the model layer. They start with nobody having verified who owns which control. The buyer map above is how you avoid becoming that statistic.
09 — ConclusionUse the grade as a signal, never as a certificate.
A C+ industry means the audit burden is yours.
The Summer 2026 AI Safety Index says something uncomfortable and useful at the same time: the best-governed frontier lab in the world earns a C+, existential safety is graded D+ at best, and all four leading labs have weakened pledges they made when the stakes felt more theoretical. Those are lab-level facts, published by an independent panel, on a recurring schedule — and that makes the index genuinely worth citing in vendor files.
But the index grades companies, not deployments — FLI says so itself. The grades cannot see your prompts, your tools, your fine-tunes, your contracts, or your monitoring. So the operating posture for 2026 procurement is simple: read the index for organizational trajectory, tier your diligence by it, and then verify every control that touches your deployment yourself — with your own evals, your own guardrails, and commitments written into contracts rather than bookmarked from policy pages.
When an entire industry grades out between F and C+, the gap between the best lab’s policies and your deployment’s actual safety is not a rounding error — it is where all of your real risk lives. Treat the index as the start of due diligence, and it earns its place in the file. Treat it as the finish line, and you’ve outsourced judgment to a scorecard that was never designed to carry it.