When we build apps on top of Large Language Models, we need to evaluate the app responses for quality and safety. When we evaluate the quality of an app, we're making sure that it provides answers that are coherent, clear, aligned to the user's needs, and in the case of many applications: factually accurate. I've written here about quality evaluations, plus gave a recent live stream on evaluating RAG answer quality.
When we evaluate the safety of an app, we're ensuring that it only provides answers that we're comfortable with our users receiving, and that a user cannot trick the app into providing unsafe answers. For example, we don't want answers to contain hateful sentiment towards groups of people or to include instructions about engaging in destructive behavior. See more examples of safety risks in this list from Azure AI Foundry documentation.
Thanks to the Azure AI Evaluation SDK, I have now added a safety evaluation flow to two open-source RAG solutions, RAG on Azure AI Search, and RAG on PostgreSQL, using very similar code. I'll step through the process in this blog post, to make it easier for all you to add safety evaluations to your own apps!
The overall steps for safety evaluation:
- Provision an Azure AI Project
- Configure the Azure AI Evaluation SDK
- Simulate app responses with AdversarialSimulator
- Evaluate the responses with ContentSafetyEvaluator
Provision an Azure AI Project
We must have an Azure AI Project in in order to use the safety-related functionality from the Azure AI Evaluation SDK, and that project must be in one of the regions that support the safety backed service.
Since a Project must be associated with an Azure AI Hub, you either need to create both a Project and Hub, or reuse existing ones. You can then use that project for other purposes, like model fine-tuning or the Azure AI Agents service.
You can create a Project from the Azure AI Foundry portal, or if you prefer to use infrastructure-as-code, you can use these Bicep files to configure the project. You don't need to deploy any models in that project, as the project's safety backend service uses its own safety-specific GPT deployment.
Configure the Azure AI Evaluation SDK
The Azure AI Evaluation SDK is currently available in Python as the azure-ai-evaluation package, or in .NET as the Microsoft.Extensions.AI.Evaluation. However, only the Python package currently has support for the safety-related classes.
First we must either add the azure-ai-evaluation Python package to our requirements file, or install it directly into the environment:
pip install azure-ai-evaluationThen we create a dict in our Python file with all the necessary details about the Azure AI project - the subscription ID, resource group, and project name. As a best practice, I store those values environment variables:
from azure.ai.evaluation import AzureAIProject
azure_ai_project: AzureAIProject = {
"subscription_id": os.environ["AZURE_SUBSCRIPTION_ID"],
"resource_group_name": os.environ["AZURE_RESOURCE_GROUP"],
"project_name": os.environ["AZURE_AI_PROJECT"],
}
Simulate app responses with AdversarialSimulator
Next, we use the AdversarialSimulator class to simulate users interacting with the app in the ways most likely to produce unsafe responses.
We initialize the class with the project configuration and a valid credential. For my code, I used keyless authentication with the AzureDeveloperCliCredential class, but you could use other credentials as well, including AzureKeyCredential.
adversarial_simulator = AdversarialSimulator(
azure_ai_project=azure_ai_project, credential=credential)Then we run the simulator with our desired scenario, language, simulation count, randomization seed, and a callback function to call our app:
from azure.ai.evaluation.simulator import (
AdversarialScenario,
AdversarialSimulator,
SupportedLanguages,
)
outputs = await adversarial_simulator(
scenario=AdversarialScenario.ADVERSARIAL_QA,
language=SupportedLanguages.English,
max_simulation_results=200,
randomization_seed=1,
target=callback
)The SDK supports multiple scenarios. Since my code is evaluating a RAG question-asking app, I'm using AdversarialScenario.ADVERSARIAL_QA. My evaluation code would also benefit from simulating with AdversarialScenario.ADVERSARIAL_CONVERSATION since both RAG apps support multi-turn conversations. Use the scenario that matches your app.
For the AdversarialScenario.ADVERSARIAL_QA scenario, the simulated questions are based off of templates with placeholders, and the placeholders filled with randomized values, so hundreds of questions can be generated (up to the documented limits). Those templates are available in multiple languages, so you should specify a language code if you're evaluating a non-English app.
We use the max_simulation_results parameter to generate 200 simulations. I recommend starting with much less than that when you're testing out the system, and then discussing with your data science team or safety team how many simulations they require before deeming an app safe for production. If you don't have a team like that, then one approach is to run it for increasing numbers of simulations and track the resulting metrics as simulation size increases. If the metrics keep changing, then you likely need to go with the higher number of simulations until they stop changing.
The target parameter expects a local Python function that matches the documented signature: it must accept a particular set of arguments, and respond with messages in a particular format.
Whenever I run the safety evaluations, I send the simulated questions to the local development server, to avoid the latency and security issues of sending requests to a deployed endpoint. Here's what that looks like as a callback function:
async def callback(
messages: dict,
stream: bool = False,
session_state: Any = None
):
messages_list = messages["messages"]
query = messages_list[-1]["content"]
headers = {"Content-Type": "application/json"}
body = {
"messages": [{"content": query, "role": "user"}],
"stream": False
}
url = "http://127.0.0.1:8000/chat"
r = requests.post(url, headers=headers, json=body)
response = r.json()
if "error" in response:
message = {"content": response["error"], "role": "assistant"}
else:
message = response["message"]
return {"messages": messages_list + [message]}
While the simulator is running, you'll see the progress status in the terminal. This can take a significant amount of time (5 seconds per simulation, in my case), since it needs to generate the question and send it to your app for answering.
Once the simulations are done running, they're available in the returned list. If you want, you can easily save them to a local JSONL file, following the example from the documentation:
output_file = "grounding_simulation_output.jsonl"
with open(output_file, "w") as file:
for output in outputs:
file.write(output.to_eval_qr_json_lines())
I experimented with saving the outputs locally, but when I saw how disturbing some of the questions were, I opted to only keep the outputs in memory, so that fellow developers wouldn't accidentally wander into the questions file when working on the app. 😱
Evaluate the responses with ContentSafetyEvaluator
Now that we have stored responses from our app, we can use the evaluators from the SDK to rate the safety levels of the responses. Ideally, our app's response is some sort of refusal, like "I can't answer that question", which would be considered a very safe response. In my case, since these RAG apps use Azure OpenAI models that have a built-in Content Safety filter for both the prompt and response, a common response was "That question violated the Content Safety Filter", which is also a very safe response, and proves that the filter is working well.
The Azure AI Evaluation SDK includes multiple evaluators for safety violations: ViolenceEvaluator, SexualEvaluator, SelfHarmEvaluator, HateUnfairnessEvaluator, and a composite evaluator that covers all four: ContentSafetyEvaluator. For a more performant evaluation, I went for the composite evaluator.
I run the ContentSafety evaluator on each app response, and track the overall score statistics in a dictionary:
from azure.ai.evaluation import ContentSafetyEvaluator
evaluators = ["hate_unfairness", "sexual", "violence", "self_harm"]
summary = {evaluator: {"low_count": 0, "score_total": 0}
for evaluator in evaluators}
for output in outputs:
query = output["messages"][0]["content"]
answer = output["messages"][1]["content"]
safety_eval = ContentSafetyEvaluator(
credential=credential, azure_ai_project=azure_ai_project)
eval_score = safety_eval(query=query, response=answer)
for evaluator in evaluators:
if eval_score[evaluator] == "Very low" or severity_level == "Low":
summary[evaluator]["low_count"] += 1
summary[evaluator]["score_total"] += eval_score[f"{evaluator}_score"]
Each evaluator response includes three components: a numeric score (1-7), a corresponding word score ("Very low", "Low", etc), and a reason.
I keep track of the average score across all the simulations, as well as the fraction of times that a response earns either "Very low" or "Low". Once I've computed the overall statistics, I store the results in a file that looks like this:
{
"hate_unfairness": {
"low_count": 200,
"score_total": 182,
"mean_score": 0.91,
"low_rate": 1.0
},
"sexual": {
"low_count": 200,
"score_total": 184,
"mean_score": 0.92,
"low_rate": 1.0
},
"violence": {
"low_count": 200,
"score_total": 184,
"mean_score": 0.92,
"low_rate": 1.0
},
"self_harm": {
"low_count": 200,
"score_total": 185,
"mean_score": 0.925,
"low_rate": 1.0
}
}As you can see, every evaluator had a 100% low rate, meaning every response earned either a "Very low" or "Low". The average score is slightly above zero, but that just means that some responses got "Low" instead of "Very low", so that does not concerned me. This is a great result to see, and gives me confidence that my app is outputting safe responses, especially in adversarial situations.
When should you run safety evaluations?
Running a full safety evaluation takes a good amount of time (~45 minutes for 200 questions) and uses cloud resources, so you don't want to be running evaluations on every little change to your application. However, you should definitely consider running it for prompt changes, model version changes, and model family changes.
For example, I ran the same evaluation for the RAG-on-PostgreSQL solution to compare two model choices: OpenAI gpt-4o (hosted on Azure) and Lllama3.1:8b (running locally in Ollama). The results:
| Evaluator | gpt-4o-mini - % Low or Very low | llama3.1:8b - % Low or Very low |
|---|---|---|
| Hate/Unfairness | 100% | 97.5% |
| Sexual | 100% | 100% |
| Violence | 100% | 99% |
| Self-Harm | 100% | 100% |
When we see that our app has failed to provide a safe answer for some questions, it helps to look at the actual response. For all the responses that failed in that run, the app answered by claiming it didn't know how to answer the question but still continue to recommend matching products (from its retrieval stage). That's problematic since it can be seen as the app condoning hateful sentiments or violent behavior. Now I know that to safely use that model with users, I would need to do additional prompt engineering or bring in an external safety service, like Azure AI Content Safety.
More resources
If you want to implement a safety evaluation flow in your own app, check out:
- Learning module: Evaluating generative AI applications
- MS Learn Docs: How to generate synthetic and simulated data for evaluation
- MS Learn Docs: Local evaluation with the Azure AI Evaluation SDK
- The pull request that added safety evaluations to the RAG with Azure AI Search repo
- The pull request that added safety evaluations to the RAG with PostgreSQL repo
You should also consider evaluating your app for jailbreak attacks, using the attack simulators and the appropriate evaluators.