AI model benchmarks: A field guide and Tonic.ai's benchmark library

AI training data is the labeled or structured data used to teach a machine learning model the patterns it needs to make predictions or generate outputs.

By Adam Kamor, PhD, Co-Founder & Head of Engineering at Tonic.ai
Updated July 2026
0 min read

AI model benchmarks are standardized tests that measure how well a model performs on defined tasks: reasoning, coding, knowledge, safety. They're essential for comparing models, but in 2026 the most-cited benchmarks are saturated and increasingly gamed, so a high public score no longer guarantees real-world performance. The benchmarks that actually predict how a model will behave for you are the ones run on data it hasn't seen and that reflects your real domain.

What AI model benchmarks are (and why they matter)

An AI model benchmark is a standardized test that runs a model against a fixed set of tasks and reports the result as a comparable score. The task might be answering graduate-level science questions, fixing a real bug in an open-source repository, or summarizing a document without inventing facts. Because every model faces the same inputs and the same scoring rule, a benchmark turns "this model feels smarter" into a number you can put next to another number.

That comparability is why LLM benchmarks sit at the center of how the field moves. When a lab ships a new model, the release note leads with benchmark scores. When you shortlist models for a feature, you start with the leaderboards. When a procurement team compares vendors, benchmark tables are the first evidence anyone puts forward. The scores set expectations, justify budgets, and decide which models even make it into a pilot. A single benchmark number can move a launch date or a budget line, which is why a score deserves scrutiny before it drives a decision.

In practice, teams reach for benchmarks to do a handful of concrete jobs:

  • Compare candidate models before committing engineering time to any one of them.
  • Track progress over time, whether this quarter's model is meaningfully better than last quarter's, or just newer.
  • Justify a selection to stakeholders who want evidence, not intuition.
  • Catch regressions when a provider updates a model behind the same API name.
  • Estimate cost and latency trade-offs alongside raw capability.

Benchmarking is also a live research discipline in its own right, not a settled catalog of tests. New benchmarks appear constantly, because the useful life of any single test is short: once a benchmark becomes the number everyone optimizes for, models start clustering at the top, and researchers build a harder one to restore the signal. You can watch the cycle in the record — MMLU gave way to MMLU-Pro, HumanEval to SWE-bench, and GPQA to its harder Diamond subset, each successor built to reopen a gap its predecessor had closed. The design of a good benchmark — what it measures, how it resists gaming, and whether its answers are actually correct — is an active field that some AI teams invest in directly, because the quality of the test is what determines whether a score means anything.

That churn points at the tension running underneath every score. Benchmarks are how the field compares models, and they work well enough to be indispensable. But a high public score increasingly fails to predict how a model will perform on your data, in your domain, under your constraints. What separates a benchmark you can trust from one that misleads you turns out to be the data underneath it.

The major categories of AI model benchmarks

No single benchmark captures everything a model can do, so the field organizes evaluation by capability. A model that tops a coding benchmark can be mediocre at long-context retrieval; a model with encyclopedic knowledge can fail at multi-step reasoning. Reading across categories, rather than fixating on one headline score, is the only way to get an honest picture of a model's strengths and weak spots.

The headline, general-capability benchmarks fall into a handful of families. Each measures something specific, and each comes with its own way of being misread.

Category Example benchmarks What it measures Watch-outs
Knowledge MMLU, MMLU-Pro Breadth of factual and academic knowledge across dozens of subjects The original MMLU is largely saturated; frontier models score near the ceiling, so small differences are meaningless
Reasoning GPQA Diamond, ARC-AGI, Humanity's Last Exam Multi-step problem solving and genuinely hard, "Google-proof" questions Designed to be hard today, but a target for contamination tomorrow; check whether the test set is held out
Math MATH, AIME Formal problem solving, from competition math to proof-style reasoning Answer-only scoring can reward a lucky final number over sound reasoning
Coding SWE-bench Verified, HumanEval, LiveCodeBench Writing and fixing code, from single functions to real repository issues HumanEval is saturated; prefer contamination-resistant, time-windowed tests like LiveCodeBench
Agents GAIA, Terminal-Bench Tool use, planning, and completing multi-step tasks in an environment Scores swing hard with scaffolding and prompt design, not just the base model
Multimodal MMMU Understanding across text, images, charts, and diagrams A strong text model can post a weak multimodal score, and vice versa
Human preference Arena Elo (LMArena) Which model people prefer in head-to-head, blind comparisons Measures preference and style, not correctness; easy to conflate "liked" with "right"

The knowledge, reasoning, and math families test what most people picture as raw intelligence: recall across academic subjects, multi-step problem solving, and formal derivation. They saturate fastest, because they have clean right answers that are cheap to score and easy to train against, which is exactly why the field keeps shipping harder successors like MMLU-Pro and GPQA Diamond to replace the versions models have already caught up to.

Coding and agent benchmarks measure something closer to real work. SWE-bench Verified doesn't ask a model to recite an algorithm; it hands the model an actual GitHub issue and checks whether its patch passes the repository's own test suite — a far higher bar than generating a single correct function, which is why saturated function-level tests like HumanEval have lost their signal. Agent benchmarks such as GAIA and Terminal-Bench go further, scoring whether a model can plan and complete a multi-step task with tools. Their results are notoriously sensitive to the scaffolding around the model, so two teams evaluating the same base model can report very different numbers depending on how they wired it up.

Multimodal and human-preference benchmarks round out the picture from opposite ends. MMMU tests understanding across images, charts, and diagrams, where a model with a strong text score can post a surprisingly weak one. Arena Elo measures nothing about correctness at all: it aggregates blind human votes into a ranking, capturing how much people like a model's answers (tone and confidence included) which can diverge sharply from how accurate those answers actually are.

Two patterns cut across these categories. First, the "verified" and "-Pro" variants exist precisely because their predecessors stopped discriminating between good models, a pattern that repeats as models catch up to each new test. Second, and more important for real decisions: beyond these general-capability tests sits a long tail of task-specific and domain benchmarks — PII detection, safety and jailbreak resistance, retrieval quality, domain-specific reasoning. These rarely make the headline leaderboards, yet they're often where the most decision-relevant evaluation actually happens, because they test the thing your application actually does. A general-capability benchmark tells you which model is broadly strong; a domain benchmark tells you which model is right for your job.

How benchmark scores are calculated and reported

A benchmark score reflects how the test was run as much as which model ran it. The same model can post very different numbers depending on the scoring rule, the prompting setup, and which slice of the test set was used, which is why two "MMLU scores" for the same model don't always agree.

The scoring rule itself varies by category. Accuracy, the share of questions answered correctly, is the default for knowledge and reasoning tests. Coding benchmarks often report pass@k, the probability that at least one of k attempts passes the test suite, so a "pass@1" and a "pass@10" for the same model measure different things. Human-preference benchmarks report an Elo rating derived from pairwise votes, which ranks models against each other rather than against a fixed answer key. That makes Elo useful for ordering models but weak as an absolute measure: a 20-point Elo gap means one model wins the head-to-head slightly more often, not that it's 20 percent better at anything.

Setup matters just as much. A zero-shot score gives the model the task cold; a few-shot score primes it with worked examples first, and few-shot numbers are usually higher. "Verified" subsets, like SWE-bench Verified, are human-reviewed slices where broken or ambiguous items have been removed, so they report higher, cleaner numbers than the full set. Who ran the evaluation matters too: a score a lab reports for its own model, using its own harness, isn't directly comparable to one an independent party measured under different conditions. Reading a model card without being misled means checking all of these before comparing anything.

A quick checklist for any benchmark score you're handed:

  • What's the scoring rule — accuracy, pass@k, or Elo — and does it match the comparison you're making?
  • Zero-shot or few-shot? Full set or a "verified" subset?
  • Who ran the evaluation: the model's own lab, or an independent party?
  • Is the test set public, and could it have leaked into training?
  • When was the score measured, relative to the model version behind the API today?

Most of the datasets and community benchmarks behind these scores are published openly on hubs like Hugging Face, where anyone can inspect the exact examples, the labels, and the scoring code. This is also where independent, domain-specific benchmarks tend to live, including those published by Tonic.ai.

Why benchmarks saturate and stop being useful

The most-cited benchmarks have saturated: frontier models now cluster within a point or two of each other, differences fall inside the margin of noise, and the scores are increasingly gamed. A test that once separated a strong model from a weak one now returns 90-plus for nearly everything, which makes it useless for the one job a benchmark exists to do: telling models apart.

Part of this is simple progress. When MMLU launched, it was genuinely hard; today's top models answer almost everything, so the remaining gap is a handful of ambiguous or mislabeled questions rather than a real capability difference. But saturation is also self-inflicted, and Goodhart's Law explains why: when a measure becomes a target, it stops being a good measure. Once a benchmark becomes the number labs advertise and customers screen on, the incentive shifts from building better models to posting better scores, tuning on the benchmark's format, its question style, even its quirks.

The sharper problem is contamination. Benchmarks are published openly so the field can reproduce them, which means their questions and answers end up in the web-scale corpora used to train the next generation of models. A model that has effectively seen the test during training will ace it without generalizing, and the score tells you nothing about how it handles a problem it hasn't memorized. Contamination is hard to detect and harder to prove, and it's the single biggest reason public scores drift away from real-world performance.

A concrete version makes the risk clear. Say a reasoning benchmark publishes 500 question-answer pairs to a public repository so others can reproduce its results. Within months, that repository has been crawled into the training data for the next round of models. A model trained on it can now reproduce the exact answers without doing any reasoning, and it posts a near-perfect score that collapses the moment you hand it a fresh question of the same type. You can't see this from the leaderboard; the number looks like capability and is actually recall.

Labs and benchmark authors fight back with held-out private test sets, canary strings that reveal when a benchmark has leaked into a corpus, and time-windowed tests built only from problems published after a model's training cutoff. Each helps, and each is partial: private sets can't be independently reproduced, canaries only catch leaks you thought to mark, and time-windowing shrinks the usable test set every month. Contamination is a moving target, and the benchmarks with the most prestige are precisely the ones most exposed to it.

The saturation crisis, in short: the benchmarks the industry cites most are the ones models have most likely trained on and most heavily optimized for. High scores increasingly reflect familiarity with the test, not capability on your work — so a leaderboard position is a starting hypothesis, not evidence.

None of this means benchmarks are worthless; it means a public score is a claim to be checked, not a fact to be trusted. The models still differ in ways that matter; the differences just no longer show up on the tests everyone quotes. To see them, you have to change what you measure and what you measure it on.

Choosing the right benchmark for your use case

Match the benchmark to the job you're actually hiring the model for. A general leaderboard ranking tells you which models are broadly capable; it doesn't tell you which one will resolve your support tickets, retrieve from your knowledge base, or reason over your contracts. Start from the task, then find the benchmark that most closely resembles it.

Read a suite, not a single number. Any one benchmark captures a narrow slice of behavior, and models trade strengths across categories, so a shortlist built on one score will mislead you. A model that leads on GPQA reasoning might trail on SWE-bench coding, and picking it for a coding agent because it "tops the leaderboard" is a category error. Look at three or four benchmarks that bracket your use case, and treat a model that's consistent across them as a safer bet than one that spikes on a single test. Consistency is harder to game than a peak.

Weigh the operational numbers alongside accuracy. A model that's two points stronger but three times slower and five times more expensive is often the wrong choice for production, especially for a high-volume feature where every call multiplies the cost and the latency. A support-triage agent handling thousands of tickets a day lives or dies on cost per call and tail latency, not on a marginal reasoning score. Latency, cost per call, and reliability under load belong in the comparison from the start, not as an afterthought once you've already picked on capability.

As a starting point for common jobs:

  • Coding agents → SWE-bench Verified (real repository issues), with LiveCodeBench for contamination resistance.
  • Long-context retrieval → RULER, which stresses how well a model uses information deep in a long input.
  • Scientific and multi-step reasoning → GPQA Diamond.
  • General knowledge and instruction following → MMLU-Pro over the saturated original.
  • Anything domain-specific → a benchmark built on data from your domain, run on examples the model hasn't seen.

That last point is the one that generalizes. The closer a benchmark's data is to your real inputs — and the more certain you are that the model hasn't trained on it — the more its score actually predicts what you'll get in production. For a genuinely high-stakes choice, the strongest evidence isn't a public leaderboard at all: it's a small evaluation set you build from your own data, held back from any model, scored against answers you know are correct. Public benchmarks get you to a shortlist; your own data decides the winner.

What separates a trustworthy benchmark from a misleading one

A benchmark is only as trustworthy as the data underneath it. The scoring code and the leaderboard get most of the attention, but they sit on top of a dataset, and if that dataset is contaminated, unrepresentative, or wrongly labeled, no amount of careful scoring can rescue the result. Three properties separate a benchmark you can trust from one that quietly misleads you:

  • The model hasn't seen the data. If the test examples appear anywhere in the training corpus, the score measures recall, not capability — the contamination problem again, this time seen from the benchmark author's side. Trustworthy benchmarks use held-out data, freshly generated data, or data time-windowed to publish after the models were trained.
  • The data reflects a real domain. A benchmark built on generic web text can't tell you how a model handles clinical notes, loan contracts, or internal Slack threads, where the vocabulary, structure, and ambiguity are nothing like a clean encyclopedia paragraph. The examples have to look like the actual work, down to the messiness: the typos, the half-finished sentences, the names that are also common words.
  • The ground truth is genuinely correct. Every score is measured against an answer key, and a benchmark riddled with mislabeled or incomplete answers caps how high a good model can score and quietly rewards the wrong behaviors. On a PII-detection benchmark, a single missed label in the ground truth turns a correct detection into a scored "error," and the whole result inherits that noise.

What makes this so easy to miss is that none of it shows up on a leaderboard. A score is a single number, and it carries no signal about whether the data beneath it was contaminated, representative, or correctly labeled. Two benchmarks can report the same headline accuracy while one measures genuine capability and the other measures how well models memorized a leaked test set. The only way to tell them apart is to look underneath the score at the data itself, which is the part most published benchmarks make hardest to inspect.

Each of these is hard to get right, and the three pull against each other. Real-domain data is often sensitive, so it can't be published, and publishing it would contaminate future models anyway. Stripping the sensitive parts by hand is slow and imperfect, and hand-labeling real data at scale introduces exactly the ground-truth errors that undermine the third criterion. The result is a genuine bind: the data that would make a benchmark most trustworthy is precisely the data you can't safely collect, share, or label by hand. Resolving that bind — building evaluation data that's realistic, uncontaminated, and correctly labeled all at once — is the problem Tonic.ai's benchmark research sets out to solve.

Tonic.ai's benchmark research

Tonic.ai's AI team builds and publishes benchmarks as part of our research, and we share many of them with the community. The work is an R&D endeavor first: public datasets and reproducible methods, released under open licenses on Hugging Face, aimed at advancing how the field measures model performance on real-world tasks where the data is sensitive, scarce, or hard to label. Because the datasets and the scoring are open, any team can reproduce the findings and run the same tests against its own models and pipelines. Running these benchmarks also gives us an honest, rigorous read on how our products hold up under real conditions.

The through-line across the work is the trustworthy-data problem itself. If the hardest part of a good benchmark is getting realistic, uncontaminated, correctly labeled data, then generating that data synthetically, with ground truth built in from the start, is a way out of the bind. Synthetic data is generated, so it has never sat in a training set; it can be built to mirror any domain; and its labels are known by construction rather than guessed after the fact — realistic, uncontaminated, and correctly labeled at once. Two of our published benchmarks show what this looks like in practice.

Tonic.ai built PrivacyBench, a public benchmark for de-identifying workplace data, the email and Slack messages that accumulate inside any company. De-identifying that kind of text is deceptively hard: names double as common words, sensitive references are scattered across a thread rather than stated once, and a redactor that misses a single mention leaks the identity the rest of the effort was meant to protect, which makes recall the metric that matters.

PrivacyBench contains roughly 17,900 messages across a set of synthetic workplace scenarios, every one generated by Tonic Fabricate and labeled with ground-truth PII spans, so there is no human annotation to budget for or second-guess. The benchmark also introduces a "synthesis accuracy" metric the field lacked: a way to measure not just whether sensitive entities were caught, but whether the replacements preserved the data's usefulness. And it's self-serve, so you can score your own redaction or synthesis pipeline against the same ground truth and see exactly where it leaks. Across those scenarios, using Tonic Textual for PII detection beats general-purpose LLMs on recall and synthesis by 4.3 points, while cutting costs by over 60%. Since the benchmark data itself is Fabricate-generated with known labels, the evaluation rests on ground truth rather than on a human's best guess.

The same idea drives Tonic.ai's training-data research. We used Fabricate to build a complete synthetic corporate email environment — a fictional 100-person company, Vectrix Technologies, with roughly 1,964 emails and a structured metadata layer that turns the inbox into graded, verifiable agent tasks — and published it openly as the vectrix-art-e dataset. Because the environment was generated with known relationships between people, threads, and events, every task has a verifiable correct answer, and difficulty scales from single-hop lookups ("find the message where the budget was approved") to multi-hop reasoning that chains several threads together.

A model fine-tuned only on that synthetic data improved on the real-world Enron email benchmark from 80.5% to 86%, edging past o3 at around 85%, without training on a single real email. This offers direct evidence that synthetic data is a valid foundation for model training and evaluation, not a lossy substitute: the same AI training data that sidesteps the privacy and scarcity problems can also produce a better-performing model.

For teams building agents, that means a simulated environment for reinforcement learning they can shape to any domain, with difficulty and coverage under their control, instead of waiting on scarce, sensitive real-world logs that can't be varied or shared. The synthetic dataset also separated strong and weak models more cleanly than the real Enron data did, because its known structure strips out the noise and mislabeling that muddy real-world benchmarks.

How Tonic.ai helps you train and de-identify on data you can trust

The research points at one practical question: where does trustworthy data come from? Our answer is a product suite that generates realistic data from scratch and unlocks the real data you already have, the two sources of the training and evaluation data behind our own benchmarks.

Tonic Fabricate generates realistic, labeled synthetic data with ground truth built in, modeling from your existing databases or building from a prompt, with referential integrity intact throughout. It gives teams both training and evaluation data for secure AI model training when real data is scarce, sensitive, or doesn't yet exist.

Tonic Textual works from the other direction: it detects and synthesizes the sensitive entities in unstructured text — email, chat, documents, transcripts — so you can safely put that text to work in model training and fine-tuning, internal RAG systems, LLM privacy layers, and secure data sharing with partners.

The two are complementary, differentiated by fit: Fabricate generates new data, Textual unlocks the real data you already hold. Together they produce data you can train on, evaluate on, and trust, ideal for your models and your benchmarks. Connect with our team to learn more.

Frequently asked questions

There isn't one. The most useful benchmark depends on the job you're hiring the model for — SWE-bench Verified for coding agents, GPQA Diamond for scientific reasoning, RULER for long context. Read a suite rather than a single headline number, and weigh cost and latency alongside accuracy.

Public scores drift from real performance for two reasons: saturation, where frontier models cluster so tightly that differences fall within noise, and contamination, where benchmark data leaks into training sets and inflates results. A model can top a leaderboard and still stumble on your data.

Yes, as a first filter, not a final verdict. Public benchmarks narrow the field quickly and flag obvious weaknesses, but they can't tell you how a model behaves on your domain and your data. Pair them with an evaluation built on data the model hasn't seen.

PrivacyBench is an open benchmark from Tonic.ai for de-identifying workplace data, the email and Slack messages inside a company. Its roughly 17,900 messages are fully synthetic and labeled with ground-truth PII, so teams can score their own redaction pipeline against reliable answers. In it, Tonic Textual leads general-purpose models on recall.