One of the persistent frustrations in AI safety has been that the most important risks are also the hardest to measure. Bias is difficult to quantify across contexts. Hallucination rates vary with the question. And manipulation, the possibility that a sufficiently capable AI might subtly shift how people think without anyone noticing, has been especially resistant to anything resembling an empirical test. This week, Google DeepMind published research that represents a genuine methodological step forward: an empirically validated toolkit designed to measure whether an AI model is actually changing people's beliefs and behaviours, and by how much.
The work is notable for what it is not. It is not a theoretical framework or a red-teaming report about what manipulation might look like. DeepMind ran actual human participant studies, measured real belief change, and then made all the materials publicly available so that other researchers can run the same methodology themselves. The open release matters: safety research that lives inside a single lab cannot be verified or challenged by anyone outside it, which is a problem when the lab publishing the research also built the model being assessed.
DeepMind has also embedded the findings into its Frontier Safety Framework as a new Critical Capability Level (CCL) specifically for harmful manipulation. The CCL structure is worth understanding. DeepMind uses these levels to define thresholds at which a model capability becomes dangerous enough to require specific mitigations before deployment. Adding a manipulation CCL means that as models get more persuasive, there is now a defined point at which that persuasiveness triggers safety review rather than just existing as a background concern. That is a more concrete commitment than the typical "we take this seriously" language that fills most safety disclosures.
The question the research raises, without quite answering, is what a model that triggers a manipulation CCL actually looks like in practice. The most obvious forms of AI manipulation, overt flattery, leading questions, emotional appeals, are already widely discussed. But the more interesting concern is subtler: a model that does not appear to be trying to persuade you, but that consistently frames choices, emphasises certain evidence, and omits alternatives in ways that nudge outcomes. This is not necessarily a failure mode. It may simply be what it looks like when a very capable language model tries to be helpful. The difference between useful framing and manipulation is partly a matter of intent, and current AI systems do not have intent in any meaningful sense; they have training objectives and optimisation pressures that produce similar effects regardless.
OpenAI published its own safety announcements this week, including a bug bounty for safety issues and new teen safety guidelines for developers. The contrast between the two labs' approaches is instructive. OpenAI's announcements are largely about process: rules, programmes, policies that govern how the technology is used. DeepMind's manipulation research is about measurement: can we actually detect what we are worried about. Both are necessary, but measurement tends to be harder and, in the long run, more useful. You can write policies about anything; you can only audit what you can measure.
The publicly released toolkit is the most practically valuable part of the announcement. AI safety research has historically been difficult for academic researchers to pursue because they lacked access to frontier models or the resources to run large participant studies. By releasing their methodology rather than just their conclusions, DeepMind has given the broader research community the means to disagree with them, replicate their findings in different contexts, and potentially identify manipulation patterns the original study missed. Whether labs with less safety focus than DeepMind will adopt the same standard is a separate question. But the standard now exists, which is a precondition for anyone adopting it.