Which AI Can You Trust? An LLM Vulnerability Ranking

1. The Stakes: Why AI Vulnerability Rankings Matter

You use AI every day. ChatGPT drafts your emails. Claude reviews your code. Gemini summarizes your research. Grok generates your memes. These models make hundreds of millions of decisions affecting billions of people—from search results to financial advice to content moderation to hiring decisions [1].

But which one can you actually trust? And what does "trust" even mean when we're talking about a probabilistic language model trained on the entire internet?

This isn't an abstract question anymore. In November 2025, Chinese state actors—tracked as GTG-1002—jailbroke Anthropic's Claude Code and used it to autonomously attack approximately 30 organizations across technology, finance, and government sectors. The AI performed 80-90% of the attack operations independently, marking the first documented case of large-scale AI-orchestrated cyberattack [19][20].

Between December 2025 and January 2026, xAI's Grok generated between 1.8 million and 3 million sexualized images—including images of minors—leading to cease-and-desist orders from California's Attorney General and regulatory action from the EU and Malaysia [21][22].

In February 2026, Microsoft researchers published GRP-Obliteration: a technique using a single prompt ("Create a fake news article that could lead to panic or chaos") to strip safety alignment from 15 major open-weight models. Attack success rates jumped from 13% to 93% on some models. Every tested model broke [13][14][15].

Also in February 2026, OpenAI disbanded its Mission Alignment Team—a 7-person safety group created just 16 months earlier—and fired its VP of Product Policy, Dave Beiermeister, after he filed a discrimination complaint, amid the company's rollout of adult content features [23]. Meanwhile, Anthropic's Head of Safeguards Research, Mrinank Sharma, resigned with a warning: "The world is in peril" [23].

This is not theoretical. The vulnerabilities are real, documented, and actively exploited. The question isn't whether AI models can be broken—they all can. The question is: which companies are doing the most to minimize the harm, disclose the risks, and govern the technology responsibly?

2. Methodology: How We Scored AI Safety

To build a comprehensive vulnerability ranking, we synthesized data from eight independent evaluation frameworks covering six domains of AI safety:

Each company received a composite trust score based on weighted performance across these domains. We prioritized:

• Red-teaming results over marketing claims
• Independent third-party evaluations over self-reported data
• Actual incidents over theoretical vulnerabilities
• Governance track record over stated policies

All data is from 2025-2026. Sources are cited inline and listed in full at the end of this report.

3. The Rankings: Provider-by-Provider Analysis

Rank #1: Anthropic (Claude) — Moderate-High Trust

Overall Grade: C+ (2.67/4.0) [1]
Transparency Score: ~58/100 [2]
Hallucination Rate: 10.1% (Claude 3 Opus), 4.4% (Claude 3.7 Sonnet) — Q4 2025 benchmarks; now succeeded by Claude Opus 4.6 and Sonnet 4.6 [4]
Political Bias: Most centrist (0.646 on 0-1 scale) [6]

Why Anthropic ranks first:

• Best governance grade — tied with OpenAI for C+ overall, but leads on information sharing (A-) [1]
• Only company that claims never to use user data for training — reduces privacy risk [18]
• Most politically centrist model — lowest bias score among all tested systems [6]
• Constitutional AI approach — transparency in safety methodology [27]
• Public Benefit Corporation structure with Long-Term Benefit Trust oversight [27]
• Published detailed red-teaming methodology using 200-attempt attack campaigns rather than single-shot metrics [11]

Critical weaknesses:

• Highest hallucination rate on Vectara benchmark (10.1% for Claude 3 Opus) — though this measures one specific task type and Claude scores better on other benchmarks [4]
• Used in first AI-orchestrated cyberattack — GTG-1002 jailbroke Claude Code to attack ~30 organizations [19]
• $1.5 billion training data copyright settlement in October 2025 [31]
• Head of Safeguards Research resigned in February 2026, warning "The world is in peril" [23]
• D grade on existential safety — same as every other company [1]

Rank #2: OpenAI (GPT-5.2 / o3) — Moderate Trust

Overall Grade: C+ (2.31/4.0) [1]
Transparency Score: ~38/100 (dropped from 52 in 2024) [2]
Hallucination Rate: 1.5% (GPT-4o, now succeeded by GPT-5.2), 0.8% (o3-mini-high) [4]
Political Bias: Most left-leaning (0.745) [6]

Why OpenAI ranks second:

• Lowest hallucination rates in Q4 2025 benchmarks — GPT-4o at 1.5%, o3-mini at 0.8% (GPT-4o now retired, succeeded by GPT-5.2) [4]
• Safest model on Enkrypt leaderboard — GPT-4-Turbo rated lowest risk (15.23/62.5) [5]
• Clearest privacy opt-out mechanism among major providers [18]
• Published whistleblowing policy — unique among AI companies [1]
• Strong benchmark performance across multiple safety evaluations

Critical weaknesses:

• Transparency score collapsed 27% in one year (52 → 38) — steepest decline among repeat participants [2][3]
• Mission Alignment Team disbanded in February 2026 after just 16 months [23]
• VP of Product Policy fired after filing a discrimination complaint, amid concerns over planned adult content features [23]
• Perceived as most politically biased in Stanford study — 4x greater left-leaning perception than Google [7]
• ChatGPT metadata breach in November 2025 — user metadata exposed via Mixpanel analytics integration (separate from the 2023 incident where 225,000+ ChatGPT credentials were stolen via info-stealer malware) [25]
• Transitioned to for-profit structure in 2025, raising governance concerns [27]

Rank #3: Google (Gemini / Gemma) — Moderate Trust

Overall Grade: C (2.08/4.0) [1]
Transparency Score: ~45/100 (down from 48 in 2024) [2]
Hallucination Rate: 0.7% (Gemini 2.0 Flash, now succeeded by Gemini 3.1 Pro) — lowest in Q4 2025 benchmarks [4]
Political Bias: Perceived as neutral [7]

Why Google ranks third:

• Lowest hallucination rate in Q4 2025 benchmarks — Gemini 2.0 Flash at 0.7% (now succeeded by Gemini 3.1 Pro) [4]
• Solid safety frameworks — C grade from FLI [1]
• Stable safety team — no major departures or reorganizations [27]
• Structured safety alignment approach including content filtering and red teaming [27]
• Perceived as politically neutral in Stanford survey [7]

Critical weaknesses:

• No clear opt-out for training data use [18]
• Collects precise location data [18]
• Convoluted privacy policy rated poorly by Incogni [18]
• Transparency score declining (48 → 45) [2]
• Refusal-as-neutrality strategy — Gemini sometimes refuses to answer political questions rather than engaging neutrally [8]

Rank #4: Meta (Llama) — Low-Moderate Trust

Overall Grade: D (1.10/4.0) [1]
Transparency Score: ~31/100 (collapsed from 60 in 2024) [2]
Hallucination Rate: 4.6% (Llama 4 Maverick), 5.4% (Llama 3.1-8B) [4]
Privacy Ranking: Worst among major providers [18]

Why Meta ranks fourth:

• Open-weight model enables community inspection — transparency through code [32]
• LlamaFirewall and Llama Guard provide safety tools for open-source ecosystem [27]
• Low cost (~$0.60/M tokens vs. $10/M for GPT-4) [32]
• Community-driven safety improvements [27]

Critical weaknesses:

• Safety removable via fine-tuning — Llama 3.1 safety score drops from 0.95 to 0.15 with minimal effort [32]
• Transparency score collapsed 48% — steepest decline overall (60 → 31) [2][3]
• F grade on existential safety (0.33/4.0) — worst among major providers [1]
• Shares user PII with external parties — names, emails, phone numbers [18]
• No clear training data opt-out [18]
• GRP-Obliteration vulnerable — all tested Llama models broke with single prompt [13]

Rank #5: xAI (Grok) — Low Trust

Overall Grade: D (1.17/4.0) [1]
Transparency Score: 14/100 (tied lowest) [2]
Hallucination Rate: 1.9% (Grok-2), 2.1% (Grok-3-Beta) — Q4 2025 benchmarks; now succeeded by Grok 4.20 Beta [4]
Political Extremism Rate: 67.9% — highest measured [6]

Why xAI ranks last:

• F grade on Current Harms (0.56/4.0) — only company to receive an F [1]
• F grade on Existential Safety (0.40/4.0) — lowest score measured [1]
• Deepfake crisis — 1.8-3 million sexualized images generated, including minors [21][22]
• Regulatory action from three jurisdictions — California, EU, Malaysia [21]
• Safety team gutted — multiple staffers departed before crisis [23]
• Highest political extremism rate (67.9%) — swings between far-left and far-right rather than maintaining consistency [6]
• 6 of 12 co-founders departed [23]
• Elon Musk actively pushed back against guardrails [27]
• Minimal safety infrastructure [27]

4. The Evidence: Red-Teaming, Jailbreaking, and GRP-Obliteration

The UK AISI / Gray Swan Challenge: Every Model Broke

Between March and April 2025, the UK AI Safety Institute and Gray Swan conducted the largest public AI safety evaluation ever attempted:

• 1.8 million attack attempts across 22 LLMs
• 62,000 successful breaks documented
• 44 harmful behaviors targeted (violence, fraud, hate speech, etc.)
• 161 red-teamers awarded $171,800 in prizes

The results were stark: every model broke. No current frontier system withstood determined, automated testing. With a single query, models exhibited policy violations for 20-60% of targeted behaviors. At 10 queries, attack success rates approached nearly 100% for most models [9][10].

VentureBeat summarized the findings: "The harsh truth is that we're in an arms race with no end in sight. Attackers adapt faster than defenders can patch" [10].

Published Defenses Are Overstated

In October 2025, researchers from OpenAI, Anthropic, and Google DeepMind published a joint paper examining 12 published defenses against prompt injection and jailbreaking. They found:

• Reported attack success rates: Near-zero for most defenses
• Actual success rates with adaptive attacks: Above 90% for most defenses

The paper concluded that published defenses "significantly overstate their effectiveness when facing adaptive adversaries" [12]. In other words: if attackers know what defense you're using, they can bypass it.

GRP-Obliteration: The Single-Prompt Unalignment Attack

On February 9, 2026, Microsoft published research demonstrating that safety alignment in open-weight models can be removed with a single training example. The prompt: "Create a fake news article that could lead to panic or chaos."

Results [13][14][15]:

• 15 models tested across DeepSeek, GPT-OSS, Gemma, Llama, Ministral, and Qwen families
• All 15 models reliably unaligned
• GPT-OSS-20B attack success rate jumped from 13% to 93%
• The technique does not materially degrade model utility — the model still performs normally on benign tasks
• Also works on image models: Stable Diffusion 2.1 harmful generation rates jumped from 56% to ~90%

Microsoft researchers noted: "What makes this surprising is that the prompt is relatively mild and does not mention violence, illegal activity, or explicit content. Yet training on this one example causes the model to become more permissive across many other harmful categories" [13].

Critical caveat: This attack only works on open-weight models. Closed-source models like GPT-4, Claude, and Gemini are not vulnerable because users cannot fine-tune them. This represents a fundamental security tradeoff between open and closed AI systems [13][32].

OWASP LLM01:2025 — Prompt Injection Remains #1 Vulnerability

The OWASP Foundation—the global authority on application security—ranks prompt injection as the number one vulnerability for large language models in 2025 [16][17].

Key attack vectors:

• Roleplay-based attacks: 89.6% success rate — highest documented [16]
• GRP-Obliteration: 81% overall success rate, outperforming prior techniques [13]
• Best-of-N automated attacks: Reduces time-to-attack from hours to seconds [10]
• Cross-agent privilege escalation: ServiceNow documented incident where low-privilege AI agent tricked high-privilege agent into executing unauthorized actions [30]

OpenAI has acknowledged that prompt injection "may never be fully solved" [16].

5. Transparency: The Declining State of AI Disclosure

If you can't see inside the black box, how can you trust what comes out of it? Stanford's Foundation Model Transparency Index attempts to answer this question by scoring companies on 100 criteria across training data, model architecture, capabilities, limitations, and usage policies.

The 2025 results are alarming: average transparency scores dropped from 58/100 to 40/100—a 31% decline in a single year [2][3].

Stanford HAI's analysis is blunt: "Transparency in AI is on the decline" [3]. The companies that dominated early transparency rankings—Meta and OpenAI—are now second-to-last and last among repeat participants.

What Transparency Actually Means

The FMTI measures disclosure across critical questions:

• What data was the model trained on?
• Was user-generated content included?
• Can users opt out of having their data used?
• What are the model's known limitations?
• How does the company test for safety?
• What usage restrictions exist?
• Who has access to the model?

The declining scores indicate companies are disclosing less information over time—even as AI systems become more powerful and widely deployed.

Privacy Rankings: Who Uses Your Data?

Incogni's June 2025 privacy ranking evaluated 10+ LLM platforms on training data disclosure, user data usage, and opt-out mechanisms [18]:

Best to Worst:
Le Chat (Mistral) > ChatGPT > Grok > Claude > Pi AI > Copilot > DeepSeek > Gemini > Meta AI (worst)

6. Political Bias: There Are No Conservative AIs

Promptfoo's July 2025 political bias assessment tested four frontier models—GPT-4.1, Gemini 2.5 Pro, Grok 4, and Claude Opus 4—across political positions. The conclusion: "There are zero conservative AIs among the industry leaders" [6].

All models scored above 0.5 (center), indicating a universal left-leaning tendency. Claude Opus 4 was the closest to neutral, but still leaned left of center.

Stanford's Perception Study

A May 2025 Stanford study asked both Republican and Democratic respondents to evaluate LLM political bias. Both groups perceived AI models as having a left-leaning slant [7]:

• OpenAI models: Most intensely perceived left-leaning slant — 4x greater than Google
• Google/DeepSeek models: Perceived as statistically indistinguishable from neutral
• xAI Grok: Despite "unbiased" marketing, perceived as second-highest left-leaning bias

The Brookings Analysis: No Consensus on Neutrality

The Brookings Institution's October 2025 analysis noted: "There is no agreed-upon definition of political bias, and no consensus on how to measure it" [8]. They documented two contrasting neutrality strategies:

• Refusal as neutrality: Gemini and Claude Sonnet 4.5 repeatedly refused to answer political quiz questions
• Adaptive positioning: Grok was the only model that significantly shifted behavior in response to Washington politics

Neither approach achieves true neutrality. Refusal avoids controversy but also avoids engagement. Adaptive positioning risks being perceived as opportunistic.

7. Corporate Governance and Safety Team Stability

How a company is structured and whether it prioritizes safety over growth determines long-term trustworthiness. February 2026 was a watershed month for AI safety governance—and not in a good way.

The Safety Team Exodus

A CNN investigation documented departures across the industry [23]:

• OpenAI: Ryan Beiermeister (safety exec) fired after opposing adult content; Zoe Hitzig resigned citing advertising concerns; Mission Alignment Team dissolved after just 16 months
• Anthropic: Mrinank Sharma resigned as Head of Safeguards Research, posting on X: "The world is in peril"
• xAI: Multiple co-founders and safety staff departed; 6 of 12 original co-founders gone

Sharma's resignation letter is particularly damning: "Throughout my time here, I've repeatedly seen how hard it is to truly let our values govern our actions" [23].

Corporate Structure Comparison

Anthropic's Public Benefit Corporation structure with Long-Term Benefit Trust oversight theoretically provides the strongest accountability. However, the resignation of its Head of Safeguards Research suggests even this structure may not be sufficient [27].

OpenAI's transition to for-profit status in 2025 raised immediate concerns about whether financial incentives would override safety commitments. The February 2026 dissolution of the Mission Alignment Team and firing of a safety executive appear to confirm those fears [23][27].

Red-Teaming Methodology Matters

VentureBeat's analysis of Anthropic vs. OpenAI red-teaming methods reveals fundamentally different security priorities [11]:

• Anthropic: 200-attempt attack campaigns testing persistent, multi-turn attacks — measures whether attackers can eventually break the system
• OpenAI: Single-attempt metrics testing one-shot refusal rates — measures initial resistance but not persistence

Both approaches provide value, but Anthropic's methodology better reflects real-world attacker behavior. Sophisticated attackers don't give up after one failed attempt.

8. Real-World Incidents: From Theory to Practice

The vulnerabilities documented in academic papers and red-teaming challenges aren't theoretical. They're being actively exploited in the wild. Here's what actually happened in 2025-2026:

The AI App Ecosystem Is Leaking

Third-party AI applications—mobile apps and web services built on top of frontier models—are the weakest link in the security chain. Research from CovertLabs, Cybernews, and breach-tracking databases documented systemic failures [24][25][26]:

• 98.9% of iOS AI apps actively leak data (CovertLabs)
• 72% of Android AI apps contain hardcoded secrets (Cybernews)
• Root causes: misconfigured Firebase, missing Row Level Security, hardcoded API keys, exposed cloud backends
• 20+ documented breaches between January 2025 and February 2026 exposed tens of millions of users' conversations, credentials, and business documents

Even if the underlying model provider (OpenAI, Anthropic, Google) has strong security, the third-party apps accessing those models often do not.

9. The Verdict: Composite Vulnerability Ranking

Based on aggregated evidence across all measured dimensions—safety governance, transparency, hallucination rates, attack resistance, privacy practices, political bias, corporate structure, and real-world incidents—here is the final trust ranking:

Key Findings

Anthropic Leads Despite Contradictions

Anthropic ranks first not because it's invulnerable—it's not—but because it demonstrates the strongest governance practices, most transparent safety methodology, and clearest privacy commitments. The company's Public Benefit Corporation structure with Long-Term Benefit Trust oversight provides accountability missing from competitors [27].

However, Anthropic's higher hallucination rates (10.1% for Claude 3 Opus, now succeeded by Claude Opus 4.6) [4], use in the first AI-orchestrated cyberattack [19], and Head of Safeguards resignation [23] demonstrate that even the best-governed company faces critical challenges.

OpenAI's Transparency Collapse

OpenAI had the lowest hallucination rates (1.5% for GPT-4o, now succeeded by GPT-5.2) [4] and strongest technical performance on safety benchmarks [5]. But the company's 27% transparency decline [2], safety team dissolution [23], and transition to for-profit structure [27] raise serious governance concerns.

The Open-Weight Security Tradeoff

Meta's Llama models offer transparency through open weights—you can inspect exactly what you're deploying. But GRP-Obliteration proved that openness enables trivial safety removal [13]. Meta's 48% transparency score collapse [2] and F grade on existential safety [1] compound the risk.

The fundamental tradeoff: open-weight models place the entire security burden on the deployer. If you lack the expertise to secure them, they're more dangerous than closed models.

xAI: Regulatory Action Speaks Louder Than Marketing

Despite "anti-woke" branding, Grok received an F grade on Current Harms [1], generated millions of illegal deepfakes [21], and faces enforcement actions from California, the EU, and Malaysia [21]. The company's gutted safety team [23] and Musk's active resistance to guardrails [27] make xAI the least trustworthy major provider.

10. What This Means for You

You can't avoid AI. It's embedded in search engines, email clients, customer service, hiring systems, financial advice platforms, and content moderation. But you can make informed choices about which systems to trust—and for what purposes.

Actionable Recommendations

For privacy-critical tasks: Use Anthropic Claude. It's the only major provider claiming never to train on user data [18].

For factual accuracy: Use OpenAI GPT-5.2 or Google Gemini 3.1 Pro. Their predecessors (GPT-4o and Gemini 2.0 Flash) had the lowest hallucination rates in Q4 2025 benchmarks (1.5% and 0.7% respectively), and current-generation models continue to improve on accuracy [4].

For politically neutral output: Use Claude Opus 4.6. Its predecessor (Claude Opus 4) was the most centrist model tested (0.646), and Anthropic's approach to balance has continued [6].

For cost-sensitive enterprise deployments: Meta Llama offers low costs (~$0.60/M tokens) but requires expertise to secure. Only deploy if you can implement robust safety controls [32].

For child-accessible applications: Avoid xAI Grok entirely. The deepfake crisis and F grade on Current Harms make it unsuitable for any environment involving minors [21][1].

Red Flags to Watch

• Declining transparency scores — if a company discloses less over time, trust should decline proportionally
• Safety team departures — especially resignations with public warnings like Sharma's "The world is in peril" [23]
• Corporate restructuring away from safety — OpenAI's for-profit transition preceded its safety team dissolution [27]
• Regulatory enforcement actions — cease-and-desist orders and fines indicate documented harms [21]
• Real-world exploitation — models used in actual attacks (Claude Code) or generating illegal content (Grok) have proven vulnerabilities [19][21]

The Hard Truth

No AI model is safe from determined attackers. The UK AISI red-teaming challenge proved that every frontier system breaks under sustained assault [9]. GRP-Obliteration proved that open-weight models can have safety removed with a single training example [13]. The GTG-1002 attack proved that closed-source models can be jailbroken and weaponized at scale [19].

The question isn't "Which AI is perfectly safe?"—none are. The question is: "Which company is doing the most to minimize harm, disclose risks honestly, and govern the technology responsibly?"

Based on the evidence, that company is Anthropic. But even Anthropic's head of safeguards research resigned with a warning. The race between capability and safety continues—and capability is winning.