This paper addresses the risk that existing LLM agent control measures may become ineffective as AI capabilities evolve. To mitigate this, it introduces the first dynamic, capability-aware control evaluation framework. Methodologically, it establishes a five-level AI Control Level (ACL) taxonomy—M1 through M5—replacing static human-knowledge assumptions with empirically grounded capability profiling, dynamically configured red-teaming privileges, formalized safety case construction, and tiered evaluation protocols. This enables proportional, operationally tractable control verification across the full capability spectrum. The core contribution is the first continuous control evaluation paradigm spanning current LLMs to future superintelligence, explicitly defining evaluation criteria, control requirements, and safety evidence standards at each level—and identifying the necessity of foundational safety paradigm shifts for superintelligent systems.

As LLM agents grow more capable of causing harm autonomously, AI developers will rely on increasingly sophisticated control measures to prevent possibly misaligned agents from causing harm. AI developers could demonstrate that their control measures are sufficient by running control evaluations: testing exercises in which a red team produces agents that try to subvert control measures. To ensure control evaluations accurately capture misalignment risks, the affordances granted to this red team should be adapted to the capability profiles of the agents to be deployed under control measures. In this paper we propose a systematic framework for adapting affordances of red teams to advancing AI capabilities. Rather than assuming that agents will always execute the best attack strategies known to humans, we demonstrate how knowledge of an agents's actual capability profile can inform proportional control evaluations, resulting in more practical and cost-effective control measures. We illustrate our framework by considering a sequence of five fictional models (M1-M5) with progressively advanced capabilities, defining five distinct AI control levels (ACLs). For each ACL, we provide example rules for control evaluation, control measures, and safety cases that could be appropriate. Finally, we show why constructing a compelling AI control safety case for superintelligent LLM agents will require research breakthroughs, highlighting that we might eventually need alternative approaches to mitigating misalignment risk.