The score is not the job
Ask a vendor how good their AI is and you get a number. It scored 90 on this, it topped the leaderboard on that. The number sounds like proof. It almost never is.
Here is the problem. A benchmark measures whatever it was built to measure. Most public AI benchmarks were built to compare general-purpose models on general-purpose tasks. They were never built to answer the only question a compliance team actually cares about: can this tool finish a real obligation, completely and correctly, in a way an auditor will accept?
Stanford HAI made the gap explicit. Reviewing more than 50 benchmarks, its AI Index found many had saturated around 80 to 90 percent accuracy, and it highlighted cases where models were already above human baselines on specific tests. Yet as HAI put it, a model can meet these benchmarks quite well and still give incorrect answers when you actually use the tool. High score, wrong work. That is the whole trap in one sentence.
Why generic benchmarks lie about domain competence
Take MMLU, the benchmark everyone quotes. It is a bank of multiple-choice questions across dozens of subjects. A model reads a question, picks A, B, C, or D, and gets scored on how many it picks correctly.
Notice what that format can and cannot see. As one widely cited evaluation guide points out, multiple-choice benchmarks only measure a model's ability to select from predefined options. Real compliance work has no options list. There is no A, B, C, D for mapping ISO controls to evidence or deciding whether a regulation applies to your entity. The work is open-ended, cumulative, and unforgiving.
So a model can top MMLU and still be unable to produce a complete control mapping, because the two skills are not the same skill. Recognizing the right answer among four is trivial next to generating every required answer with nothing prompting you. Generic benchmarks reward recognition. Compliance demands production. A number from the first tells you almost nothing about the second.
Fluency is not completeness
The most seductive failure in AI evaluation is mistaking a good-sounding answer for a complete one. General-purpose models are optimized to be fluent. They produce prose that reads as authoritative whether or not it covers what the task required.
Compliance does not grade prose. It grades coverage. A response that fluently addresses six of twelve obligations and says nothing about the other six is not 50 percent good. In an audit it is a failure, because the six it dropped are invisible until someone checks. Fluency actively hides the gap. The answer sounds finished, so no one goes looking for what is missing.
That is why a real benchmark has to measure completeness against a fixed set of expert-defined requirements, not readability. The question is never how good does this sound. The question is how much of the required work is actually here, and can every claim be traced to a source. This is the standard behind Sorena's own benchmark work on real GRC tasks, where coverage against an auditor checklist is the score and everything else is noise.
Use a buyer-ready benchmark rubric
Before trusting any AI benchmark, ask for the rubric. The minimum credible package is the task prompt, expected answer elements, source set, scoring criteria, reviewer qualifications, baseline model version, run date, coverage denominator, and examples of failed answers.
If those details are missing, the score is a marketing asset, not evidence. A compliance benchmark should make weak spots inspectable. You should be able to see whether the system missed obligations, cited weak sources, guessed around uncertainty, or produced a correct answer for the wrong reason.
Real tasks, scored by real experts
A credible benchmark has two non-negotiable properties. The tasks are real, and the scoring is done by people who do the work for a living.
Real tasks means drawn from the actual job: a privacy audit, a framework crosswalk, an applicability analysis, a clause-by-clause delta. Not sanitized textbook questions. Real work is messy, and messy is exactly where fluent-but-wrong answers get exposed.
Expert scoring means an auditor, not a model, decides whether the output is complete and defensible. Self-scored benchmarks and model-graded benchmarks are convenient but risky: the system being tested, or a sibling of it, may be deciding how well it did. NIST SP 1270 frames AI bias as socio-technical and emphasizes context of use, human factors, stakeholder involvement, and task-specific evaluation. For compliance work, that points to domain expert review as the practical ground truth. If your benchmark cannot explain who scored it and what rubric they used, it is not evidence. It is a press release.
How benchmarks get gamed
Once a benchmark becomes a marketing target, it stops measuring competence and starts measuring optimization toward the test. There are three common ways this happens, and you should assume all three are possible until the methodology rules them out.
- Contamination. If the test questions leaked into training data, the model may be recalling answers rather than solving problems. Public benchmarks are especially exposed because they have been visible for years.
- Overfitting to the format. A model tuned to pick multiple-choice answers can look brilliant on multiple-choice and weak on open-ended production work. The score reflects the format as much as the capability.
- Saturation theater. When everyone clusters at 90 percent, a one-point lead gets marketed as dominance. HAI documented ImageNet moving from 91 percent to 91.1 percent in a year. That is a rounding error dressed as progress.
The defense is simple to state and hard to fake: fresh tasks the model is unlikely to have seen, an open-ended format that mirrors the real job, and independent expert scoring. A benchmark that survives all three is much harder to turn into a number that lies.
What a real compliance benchmark looks like
Put the pieces together and the design writes itself. A benchmark you can actually trust for compliance has all of these, not some:
- Tasks pulled from real GRC work, not multiple-choice trivia.
- An open-ended format that requires producing the full answer, not selecting one.
- Scoring against a fixed checklist of expert-defined requirements.
- Independent auditors as the judges, ideally in more than one pass.
- Completeness and source grounding as the primary metrics, with factual errors tracked explicitly.
- Tasks fresh enough that contamination is unlikely.
This is the standard Sorena holds its own system to, and it is why the results are worth reporting rather than the score being self-declared. When a benchmark is built this way, the number finally means something: it predicts whether the tool finishes the job. That prediction is the entire point, and it is exactly why Sorena AI is built to execute compliance work end to end rather than to sound good in a demo.
HAI's own conclusion points the same direction. Its researchers now favor comprehensive evaluations like HELM that measure accuracy alongside robustness and other real-world factors, because a single saturated accuracy number no longer tells you enough.
How to read a vendor's benchmark number
You do not need to run your own evaluation to protect yourself. You need to ask the questions a real benchmark can answer and a vanity one cannot.
- What were the tasks, and were they real or multiple-choice?
- Who scored the output, the vendor's own model or an independent domain expert?
- Was the metric completeness against a checklist, or a leaderboard rank?
- Could the test data have been in training?
- Can you reproduce it on your own tasks?
If the answers are vague, the number is decoration. If they are specific, you have something real. The best move is the one no marketing deck can survive: run the tool on your own work, hand the output to your own auditor, and count what is missing. The score you generate yourself is the only one that predicts your outcome.
Frequently asked questions
Are benchmarks like MMLU useless?+
No. They are useful for what they were designed for: comparing general-purpose models on broad, multiple-choice knowledge. They just do not predict domain competence. A high MMLU score tells you a model is broadly capable, not that it can produce complete, defensible compliance work on open-ended tasks.
Why do experts have to score a compliance benchmark instead of an automated metric?+
Because completeness and defensibility are judgment calls that depend on context. An automated metric can check whether text matches a reference, but it cannot reliably decide whether an obligation was fully addressed or whether a claim is traceable to a valid source. NIST SP 1270 treats AI evaluation and bias management as socio-technical work involving context of use, human factors, stakeholder involvement, and task-specific evaluation, not just a single automated score. For compliance work, the expert is the practical ground truth.
How do I know a vendor's benchmark was not gamed?+
Ask three questions. Were the tasks fresh and open-ended, or scraped multiple-choice questions the model may have trained on. Who scored the output, an independent expert or the vendor's own model. Can you reproduce the result on your own tasks. A benchmark that survives all three is hard to fake. One that dodges them is marketing.
Sources
- AI Benchmarks Hit Saturation (Stanford HAI)https://hai.stanford.edu/news/ai-benchmarks-hit-saturation?ref=sorena.io
- Understanding the 4 Main Approaches to LLM Evaluation (Sebastian Raschka)https://magazine.sebastianraschka.com/p/llm-evaluation-4-approaches?ref=sorena.io
- Towards a Standard for Identifying and Managing Bias in AI (NIST SP 1270)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.Sp.1270.pdf?ref=sorena.io


