How Sau5 tests AI.

Why Sau5 tests AI differently.

The AI testing market splits roughly into three camps. Platform vendors sell infrastructure: dashboards, eval runners, traces, logs. Big-Four consultancies sell governance: frameworks, risk registers, audit reports. Software QA shops sell automation: Selenium scripts, regression suites, browser testing.

None of those three things are testing AI.

A dashboard cannot tell you whether a faithfulness score of 0.87 is acceptable for your use case. A governance framework cannot decompose a multi-hop claim into its atomic propositions. A Selenium script cannot detect prompt injection at conversation turn five.

Sau5 sits in the gap. The methodology is engineering, not paperwork. The deliverable is a runnable harness, not a report. The skill set is built from running the same five-domain assessment across every engagement and refining what works.

That refinement is the product. The first engagement Sau5 ran produced 14 changes to the methodology. The fourth produced two. The methodology converges because the failure modes converge: every RAG system fails in recognisably similar ways, and once you've tested enough of them you stop being surprised. The skeleton the manual sits on doesn't change. The depth on each chapter keeps growing.

This page is the public version of that methodology. The full Test Cases Manual ships with every engagement. A sample chapter is available below.

Domain 1 — Retrieval Quality.

What it measures

Retrieval Quality is the foundation layer of every RAG assessment. It measures whether the system surfaces the correct documents for a given query, before any answer is generated, before any grounding is checked, before any model behaviour matters at all.

If retrieval fails, every downstream metric becomes unreliable. A system can have a state-of-the-art generator and still produce bad answers if the wrong chunks come back. Conversely, a mediocre generator with strong retrieval often outperforms a strong generator with weak retrieval. The retrieval layer is doing most of the work and getting most of the blame for problems that originate elsewhere.

This domain is also where the most expensive optimisation mistakes happen. Teams swap embedding models to chase a benchmark gain, lift Recall@5 by two points on a public test set, and silently regress on the specific query patterns their users actually issue. Sau5's Domain 1 testing is built to catch that pattern.

Why it matters

Three production failures cluster in this domain.

The first is silent drift after re-indexing. A re-ingestion of the corpus changes chunk boundaries, embedding distribution, or both. Aggregate recall looks unchanged. Users report that the system "feels worse than last week", a subjective complaint that turns out to be a 12-point drop on long-tail queries that the aggregate metric was hiding.

The second is embedding-model substitution regret. A team upgrades from one embedding model to a newer one with a stronger MTEB score. Six weeks later, support tickets reveal the new model handles short queries better but degrades sharply on multi-sentence queries, the exact distribution the team's users issue. Domain 1 testing forces the comparison on the client's query distribution, not a public benchmark's.

The third is reranker overconfidence. Adding a cross-encoder reranker improves NDCG by a clear margin on standard test sets, but reranker training data rarely matches enterprise corpora. Without per-query-class testing, teams discover too late that the reranker helps common questions and actively hurts the long tail.

How Sau5 tests it

The testing harness for Domain 1 has four parts.

Golden dataset construction

Sau5 builds a versioned dataset of 100+ records during Week 1 of every engagement. The dataset is structured across ten query types: definitional, comparative, procedural, multi-hop, temporal, numerical, negation, long-tail, ambiguous, and out-of-scope. Each record contains the query, the expected source chunks (labelled by subject-matter experts), and metadata flagging the query type and difficulty. Without a domain-tuned dataset, retrieval testing produces noise.

Multi-metric measurement

Sau5 measures four metrics per query and aggregates by query type:

Metric	What it measures	Why it's tracked
Recall@k	Fraction of relevant documents in the top-k retrieved set	The headline metric, but cannot tell you whether ranking is good
Precision@k	Fraction of top-k results that are relevant	Catches retrieval that surfaces relevant content alongside high noise
MRR	Average inverse rank of the first relevant result	Sensitive to whether the top result is the right one
NDCG@k	Normalised discounted cumulative gain at k	Penalises late-rank correct results, rewards correct ordering

Slice-level analysis

The aggregate score is almost always misleading. Sau5 reports per-query-type breakdowns and flags any slice that falls more than 5 points below the engagement-baseline target. This is where the silent regressions live.

Drift detection between runs

Once the baseline is established, every subsequent run is compared against it. Sau5's harness flags any per-query-type drop greater than 2 percentage points as a warn, and any drop greater than 5 percentage points as a fail that blocks deploy in CI/CD.

Metrics and pass thresholds

Metric	Definition	Default pass threshold
Recall@5 (aggregate)	Recall across whole dataset, top-5 results	≥ 0.85
Recall@5 (per query type)	Recall on each of 10 query types	≥ 0.70 (long-tail) to ≥ 0.95 (definitional)
Precision@5	Precision in top-5 retrieved	≥ 0.60
MRR	Mean reciprocal rank	≥ 0.70
NDCG@10	NDCG at rank 10	≥ 0.75
Drift vs baseline	Per-query-type delta	< 2 pts warn, < 5 pts fail

These are defaults. They are negotiated per engagement against the client's risk tolerance and use case. A medical-information RAG system uses tighter thresholds than an internal HR knowledge base.

What failure looks like in production

1. "It used to know about X." Users notice that a previously-answered question now returns a different, usually worse chunk. A sign of post-reindex drift or embedding-model substitution.
2. "The right answer is in there somewhere, just not first." Users see the right document on page 2 of an internal search experience, or as the third citation in a generated answer. A sign of reranker degradation or NDCG drop without recall change.
3. "It thinks this is about something else." Users issue a query and the system retrieves chunks from a related-but-wrong topic. A sign of embedding-model drift on the client's domain vocabulary.

Sau5's Domain 1 testing catches all three before they reach users, if it runs continuously. A one-off Recall@5 measurement at deploy-time will catch the first two and miss the third entirely. Domain 1 testing isn't a project. It's a practice.

Tools and references

Sau5's harness uses RAGAS and BEIR for the metric implementations, pytrec_eval for the underlying scoring, and sentence-transformers for embedding-level diagnostics. The methodology follows the principles in NIST AI RMF 1.0 (measure function) and is consistent with the retrieval-evaluation patterns in Microsoft's RAG application evaluation guidance.

Domain 3 — Hallucination Detection.

What it measures

Hallucination Detection tests the rate at which the model invents content, and, crucially, what kind of content it invents. Sau5 tracks five distinct hallucination types because the failure modes are not interchangeable. An intrinsic contradiction is a different bug from a fabricated citation, and the fix for each is different.

The five types Sau5 measures:

1. Intrinsic. Claim contradicts a retrieved chunk.
2. Extrinsic, fabricated. Claim has no support in retrieved chunks and no truth elsewhere.
3. Extrinsic, plausible. Claim has no support in retrieved chunks but happens to be true (or partially true) in the wider world.
4. Over-specification. Claim adds invented specifics (numbers, dates, named entities) to an otherwise grounded statement.
5. Entity substitution. Claim swaps named entities (people, organisations, products) for similar but incorrect ones.

A system fails Domain 3 if the total hallucination rate exceeds 5%, or if any individual hallucination type exceeds a domain-specific threshold negotiated per engagement.

Why it matters

Hallucination is the failure mode that breaks user trust fastest, because users cannot tell the difference between a hallucinated answer and a correct one without independently verifying every claim. Hallucinated answers also tend to be the ones that travel: they get screenshotted, shared, and quoted. By the time the model is corrected, the wrong answer has propagated.

In regulated industries the asymmetry sharpens. A single hallucinated numerical claim in a clinical-decision support tool, or a single fabricated citation in a legal-research assistant, is a containment event. Domain 3 prevents containment events from being the way you discover the problem.

How Sau5 tests it

Domain 3 reuses the three-stage detection pipeline from Domain 2 (NLI → LLM Judge × 2 → Atomic Decomposition) but feeds the verdicts into a five-type classifier rather than a single faithfulness score. The classifier assigns each unsupported claim to one of the five hallucination types, then aggregates per-type rates.

The dataset for Domain 3 is constructed differently from Domain 2. Where Domain 2 uses general-purpose grounding queries, Domain 3 uses trap queries deliberately designed to elicit each hallucination type:

• Numerical traps: quantitative questions where the corpus contains only qualitative content
• Citation traps: questions inviting the model to cite a "study" or "report" that doesn't exist
• Entity traps: questions about real entities with intentionally similar-sounding distractors in the corpus
• Temporal traps: questions about dates or sequences the corpus is silent on

Without trap queries, aggregate hallucination rates look reassuringly low. Hallucinations rarely surface on easy queries.

Metrics and pass thresholds

Metric	Definition	Default pass threshold
Total Hallucination Rate	All hallucination types ÷ all claims	≤ 5%
Intrinsic Rate	Claims contradicting retrieved chunks	≤ 2%
Extrinsic Rate (combined)	Fabricated + plausible	≤ 3%
Over-specification Rate	Invented specifics added to grounded claims	≤ 1%
Entity Substitution Rate	Named-entity swaps	≤ 0.5%

For regulated-industry clients (finance, healthcare, legal), Sau5 tightens thresholds, typically by half, with the over-specification and entity-substitution rates often set to zero.

What failure looks like in production

1. The "confident statistic" pattern. Customer-facing assistant produces a percentage, dollar amount, or count where the underlying data contains none. Over-specification hallucination type.
2. The "almost right entity" pattern. Assistant attributes a quote, policy, or product feature to a similar-named but wrong entity. Entity substitution hallucination type.
3. The "common knowledge" pattern. Assistant answers from its parametric knowledge when the corpus is silent, producing a plausible answer that happens to be wrong in the client's specific domain. Extrinsic, plausible hallucination type, the most subtle and the hardest to catch without trap queries.

Tools and references

The detection pipeline reuses the Domain 2 stack. The five-type classifier and trap-query dataset construction are proprietary to Sau5 and ship with the harness at handover. The taxonomy itself draws on academic work in HaluEval and FActScore, refined against the failure-mode distribution Sau5 has observed in production engagements.

Domain 5 — Eval Operations.

What it measures

Eval Operations tests whether the testing itself is repeatable, continuous, and integrated into the development pipeline. A perfect set of findings from Domains 1–4 is worth very little if those tests don't run again automatically every time the model is updated, the corpus is re-ingested, or the prompt is changed.

This is the domain that turns the four-week engagement from a snapshot into a practice. It's also the most overlooked. Most AI quality work focuses on the first four domains and treats operations as plumbing. Sau5 treats it as the domain that determines whether the other four hold their value over time.

Why it matters

AI systems drift in ways traditional software doesn't:

• Model updates: provider releases a new version, sometimes silently, and behaviour changes
• Corpus drift: documents are added, removed, re-indexed; chunk boundaries shift
• Embedding model updates: vector representations of the same content change
• Prompt edits: small changes to system prompts produce non-obvious downstream effects
• Adversarial-pattern evolution: new injection techniques emerge faster than annual review cycles can catch

A static eval suite ages out in three to six months. Domain 5 prevents the eval suite from becoming evidence of testing the client used to do.

How Sau5 tests it

Domain 5 is delivered as a packaged, runnable harness that the client owns at handover. The harness has five components:

1. Domain orchestrator: a Python runner that executes Domains 1–4 in sequence against the system under test
2. Versioned golden dataset: the client's dataset under semantic versioning, with diff tooling for tracking changes
3. Regression baseline store: every run is recorded; the current run is compared against the baseline
4. CI/CD integration: pre-built configurations for GitHub Actions, GitLab CI, and Azure DevOps
5. Alert routing: failures route to Slack / Microsoft Teams / PagerDuty; warnings route to the client's preferred channel

The deploy gate is the operational centrepiece. The harness exits non-zero on any FAIL across the four upstream domains, which causes the CI pipeline to block the deploy. This converts AI quality from a reporting function ("here are the scores") into a control function ("this deploy will not ship").

Metrics and pass thresholds

Metric	Definition	Default pass threshold
Harness runtime (p95)	95th-percentile end-to-end run time	< 10 minutes
Baseline freshness	Days since baseline last refreshed	< 30
Regression catch rate	Induced regressions caught ÷ injected	100%
CI integration coverage	Pipelines wired to the harness ÷ pipelines that should be	100%
Alert delivery latency (p95)	Time from failure to alert delivered	< 60s

What failure looks like in production

1. The "broken gate" pattern. Harness runs, results are recorded, but the CI gate is misconfigured and doesn't actually block the deploy. The client believes they have a safety net they don't have.
2. The "stale baseline" pattern. Baseline is from six months ago. Regressions get measured against a comparison point that no longer reflects reality. False positives proliferate, the team stops trusting the alerts, alerting gets silenced.
3. The "noisy dashboard" pattern. Results are posted to a Grafana / Datadog / internal dashboard with no clear owner. Nobody reads them. Failures pile up. The first signal that quality has degraded is a user complaint, not a harness alert.

Tools and references

The harness packaging is built on Python 3.11+, uses standard CI/CD primitives (no vendor lock-in), and is licensed to the client at handover with no ongoing dependency on Sau5 infrastructure. Sau5 does not host any part of the client's eval operation by default. Clients who want Sau5 to run it for them (Path B) receive the same harness, deployed to a Sau5-managed environment on their behalf.

What you walk away with.

Every Sau5 engagement ships the same six deliverables on Day 20:

• Eval harness. A runnable Python package, client-owned, wired into the client's CI/CD.
• Golden dataset. Versioned, SME-reviewed, tagged by query type.
• Test cases manual. The full methodology document (~200 pages).
• Findings report. Per-domain scores, root causes, remediation roadmap.
• Live walkthrough. In English or Spanish (if applicable).
• CI/CD configurations. Validated against the live integration before sign-off.