Nova Premier: Multimodal Foundation Model
- Nova Premier is a multimodal foundation model that integrates text, images, and video using a unified transformer architecture with a one-million-token context window.
- The model serves as a teacher in knowledge distillation pipelines, enabling efficient student models to inherit its long-context and multimodal capabilities.
- Comprehensive safety evaluations using the Frontier Model Safety Framework ensure robust risk mitigation in high-risk domains like CBRN, offensive cyber, and automated AI R&D.
Nova Premier is Amazon's most advanced multimodal foundation model, engineered to process free-form text, images, and full-length video within a unified transformer-based architecture. Distinguished by its one-million-token context window and its role as a distillation teacher, Nova Premier is designed to enable large-context analysis spanning codebases, extensive technical documents, and long-duration video content. Its comprehensive safety evaluations, conducted under the Frontier Model Safety Framework, have focused on critical-risk domains including CBRN (Chemical, Biological, Radiological & Nuclear proliferation), offensive cyber operations, and automated AI R&D, informing both its release decision and ongoing risk-mitigation strategies (Krishna et al., 7 Jul 2025).
1. Architecture and Multimodal Capabilities
Nova Premier employs a single neural backbone with a shared transformer encoder–decoder stack and modality-specific input adapters. These enable the model to ingest:
- Free-form text, including natural language and code
- Static images (photographs, diagrams)
- Full-length video (up to 90 minutes per prompt)
Within this architecture, modality-specific adapters (e.g., patch-embedding vision stem for images, frame-wise encoder for video) map signals to a common semantic space. Joint cross-attention mechanisms align tokens, image patches, and video embeddings. This design enables the model to handle hybrid prompts and reason jointly over sequences of diverse modalities.
The model achieves a one-million-token context window using three complementary mechanisms:
- Blockwise linearized attention with subquadratic memory requirements,
- A sliding-window key–value cache,
- Hierarchical compression layers that downsample distant context.
This infrastructure permits the ingestion and analysis of, for example:
- A 200K-line codebase (e.g., an entire software repository)
- A 400-page PDF manuscript (~600K word-pieces)
- A 90-minute MP4 video, with audio transcribed and visual frames featurized
The model can provide holistic analysis (e.g., cross-cutting codebase queries and global static program analyses) in a single forward pass, exceeding the context limitations of previous foundation models.
2. Model Distillation and Teacher Role
Nova Premier functions as a “teacher” model within knowledge distillation pipelines. Here, a student model is trained to align its next-token output distribution to that of Nova Premier via the loss function:
where denotes Nova Premier’s output. This framework enables the development of efficient, deployment-optimized models, whose long-context and multimodal capabilities directly derive from Nova Premier. The distillation approach supports wide downstream deployment while preserving performance characteristics central to frontier-scale models.
3. Frontier Model Safety Framework (FMSF)
The Frontier Model Safety Framework (FMSF) governs the risk assessment and release protocol for Nova Premier. For each model and high-risk domain , a non-negative scalar risk score is computed:
Each domain has a release threshold ; the model is publicly released only if
Each aggregates automated benchmark results (0) and human-centric flags (1), mapped to 2, with domain-specific weights:
3
The protocol encompasses: (1) running automated benchmarks, (2) expert red-teaming/uplift studies, (3) computing scores and comparing to thresholds, (4) sharing results for third-party audit (e.g., Nemesys for CBRN, METR for R&D), and (5) pausing deployment if any 4 exceeds 5. This formalism ensures systematic, auditable safety checks prior to public release.
4. Risk Assessment Methodology
Risk evaluation targets three high-risk application domains:
- CBRN: proliferation of chemical, biological, radiological, and nuclear threats
- Offensive Cyber: hands-on computer-network exploitation
- Automated AI R&D: agentic research workflows with dual-use potential
Automated benchmarks for each domain employ domain-specific question suites and tasks:
| Domain | Benchmark Components | Key Metrics |
|---|---|---|
| CBRN | WMDP-Bio (1273 MCQs), WMDP-Chem (408 MCQs), ProtocolQA (108), BioLP-Bench (800) | 6, 7 |
| Offensive Cyber | CyberMetric QA, CTF suite (40 challenges) | 8 |
| Automated AI R&D | RE-Bench, multi-agent simulations (100 scenarios) | RE-Bench success, Red-team flag fraction |
For qualitative assessment, domain experts conduct red-teaming and uplift studies. For example, CBRN testing involves 120 bespoke prompts scored by multiple SMEs on a 0–10 safety rubric, measuring refusal rate, false-negative rate, and mean safety risk. The cyber domain employs real-world exploit scenarios and MITRE ATT&CK tactics. In the R&D domain, METR manually reviews agent transcripts and multi-agent logs for evidence of autonomy or sabotage.
5. Core Findings and Release Outcome
CBRN
- Automated MCQ accuracies: WMDP-Bio 0.84 (+0.02), WMDP-Chem 0.66 (+0.03)
- ProtocolQA-MCQ: 0.48 (+0.14), BioLP-Bench: 0.23 (+0.13)
- Human-centric: 17% refusal, 18% partial deflection, 61% false-negative on “should-not-answer” prompts, mean safety risk 4.2/10
- 9 due to modest knowledge gains, insufficient procedural reasoning, and high SME deflection
Offensive Cyber
- 10–15 pp increase in theoretical QA accuracy, CTF solve rate ~0.15
- End-to-end flag retrieval on simple reversing, but filtered/stalled on advanced exploits
- No multi-stage exploit generation; advanced evasion triggers filter
- 0
Automated AI R&D
- RE-Bench: coherent steps, but no fully autonomous high-risk pipeline
- Multi-agent: 32.2% agent-instances, 56% scenarios flagged, none critically severe
- METR confirms absence of hidden autonomy; periodic "no-filter" retesting advised
- 1
Cumulatively, Nova Premier satisfies the release criterion for all domains, supporting its public release in alignment with AI safety commitments announced at the 2025 Paris AI Safety Summit (Krishna et al., 7 Jul 2025).
6. Ongoing Mitigations and Future Directions
Planned developments focus on expanding and refining risk evaluation:
- Broaden CBRN adversarial prompt libraries and SME adjudication throughput; develop execution sandboxes for task verification
- Enhance cyber red-teaming with stealth/in-memory exploit scenarios, hypervisor-level, and supply-chain compromise tests
- For R&D, increase scenario complexity in agent simulations, monitor for "capability drift" across retraining, and continue periodic unfiltered evaluations
- Maintain continuous safeguards with dynamic policy updates, real-time content filtration, and anomaly detection for user interactions
This suggests that as Nova Premier and future successors gain capabilities, the FMSF protocol will iteratively adapt, ensuring systematic detection and mitigation of critical misuse risks prior to any expanded deployment (Krishna et al., 7 Jul 2025).