Microsoft

Verifying Rust cryptography in SymCrypt, from standards to code

Microsoft Research - Mon, 07/13/2026 - 18:00
How Rust, Lean, Aeneas, and AI agents are helping scale formal verification for production cryptographic algorithms At a glance
  • SymCrypt develops new verified cryptography using Rust, Aeneas, and Lean to provide higher security assurance.
  • We prove that their code safely and correctly implements standard algorithms, notably for post-quantum cryptography.
  • We are releasing verified code, specs, properties, and proofs initially for SHA-3 and ML-KEM. 
  • Aeneas allows verifying a large subset of Rust code and provides efficient automation in Lean to support the proof effort.
  • Agents allow scaling automation by writing proofs that are independently-verifiable.
Introduction and motivation for formal verification

Cryptographic code sits at the foundation of modern computing. It protects operating systems, cloud services, firmware, messaging systems, and the protocols that connect them. Small mistakes can have outsized consequences: a single arithmetic slip, missing bounds check, or incorrect state transition can undermine the security of an otherwise sound design.

Testing and auditing remain essential, but they are not enough on their own. Cryptographic implementations are often optimized, constant-time, architecture-specific, and deliberately low level. The code that ships rarely looks like the clean algorithm in a standard: it contains reductions, bit manipulations, SIMD intrinsics, carefully shaped loops, and portability layers for many environments.

Formal verification addresses this gap by deploying machine-checked proofs instead of relying on testing alone. Rather than merely checking that the code usually behaves correctly, verification implements a precise mathematical specification for all inputs that satisfy the stated preconditions.

In June last year, Microsoft announced we would formally verify new algorithms written in Rust in SymCrypt, the cryptographic provider used across products and services including Windows and Azure. New cryptographic implementations are being written in safe Rust, then verified in the Lean (opens in new tab) formal proof framework using the Aeneas (opens in new tab) toolchain. This applies in particular to post-quantum cryptography, which require fast secure implementations of complex algorithms. This combination gives us two layers of assurance: Rust rules out broad classes of memory-safety bugs, while Lean proofs establish functional correctness against formal specifications derived from standards.

The result is a new verification methodology for production cryptography: verify code as developers write it, preserve performance-oriented implementation choices, and make the proof process scalable enough to keep up with an evolving codebase.

Figure 1. Agents (stochastic, in blue) and tools (algorithmic, in green) for software verification. Human effort focuses on reviewing formalization of standards and main properties. Agents write proofs and intermediate properties. Compilation, code extraction, and proof verification are deterministic, not agentic. Status of verification in SymCrypt

We have open sourced a SymCrypt branch (opens in new tab) that includes formal specifications and proofs. This public branch makes the proof artifacts available alongside the Rust algorithm implementations they validate, showing how the methodology applies to production cryptographic code. SymCrypt is not a standalone research prototype; it is Microsoft’s open-source cryptographic library used across products and services including Windows and Azure Linux.

This first release includes complete proofs for the Rust ML-KEM and SHA3 code that is being used in insiders builds of Windows today. SymCrypt is extending the same Rust, Lean, and Aeneas-based workflow to more Rust-native algorithms and integrating them into production versions for Windows and Linux, including for instance verified Rust code for, e.g., AES-GCM, FrodoKEM, and ML-DSA. The rest of this post uses this SymCrypt work as a concrete example, starting with how public standards become executable Lean specifications.

Turning standards into formal Lean specifications

The first step is to formalize what the algorithm is supposed to do. For cryptographic primitives, the source of truth is usually a public standard: a NIST specification, an IETF RFC, or another carefully reviewed algorithm description.

In our approach, the Lean specification is designed to stay close to the standard. When the standard describes a loop, an array update, or a mathematical operation, the Lean model follows the same structure wherever possible. This syntactic proximity matters: it makes the formal specification easier to audit because reviewers can compare the standard and the Lean side by side.

Lean also lets us write executable specifications. That means we can run the formal model against official test vectors to catch transcription errors, off-by-one mistakes, or misunderstandings of the standard. For algorithms such as ML-KEM, we can go further and prove high-level mathematical properties, such as showing that the formal model of the number-theoretic transform corresponds to the intended operation over the relevant polynomial ring.

A representative example is the number-theoretic transform (NTT) from ML-KEM. The standard describes the algorithm as an in-place transformation over 256 coefficients modulo q, with three nested loops that update pairs of coefficients using successive powers of the constant ζ (= 17).

Here is a direct translation of the NIST standard in Lean, trying to stick as close as possible to the original syntax:

The Lean version deliberately mirrors the structure of the standard: the same loop nest, the same zeta selection, and the same coefficient updates, allowing easy line-by-line human review. At the same time, it is executable and uses mathematical types, so it can be tested against known vectors and connected to higher-level theorems about the NTT’s algebraic meaning. In summary, the Lean specification is a concise, executable, mathematically meaningful model that tracks the standard closely enough to be reviewed by cryptographers and proof engineers alike.

Connecting the formal specification to the code

Once the specification is formalized, the next challenge is to connect it to the implementation. We do not ask developers to rewrite production cryptographic code in a verification-oriented language, nor do we generate code that product teams must then own. Instead, we verify the Rust code that engineers write, exactly as they write it.

Aeneas makes this possible by translating Rust’s mid-level representation into a pure Lean model. Rust’s ownership and borrowing discipline are crucial here. They let Aeneas safely eliminate much of the reasoning about pointer aliasing, liveness, and mutation that makes verification of C-style code so expensive.

For example, a Rust function that updates an array in place becomes, in Lean, a function that explicitly takes and returns a functional array. Mutable borrows are translated into value transformations. This preserves the behaviour that matters while presenting proof engineers with a functional model that is far easier to reason about.

Once in Lean, the function can be equipped with a theorem that states that it refines a formal specification. In other words, for every input satisfying the required bounds and well-formedness conditions, the implementation function returns the same mathematical result as the standard-derived Lean specification.

This style keeps responsibilities cleanly separated. Software engineers continue to write idiomatic, performant Rust. Verification engineers work against generated Lean models and prove theorems about them. The Rust code and the proofs live side by side, but the proof burden does not shape the code into something unnatural.

Going back to the NTT example, its Rust implementation is a function fn ntt(&mut [u16; 256]) that uses a mutable borrow to update an array in-place. The Lean translation purifies it into a function ntt : Array U16 256#usize → Result (Array U16 256#usize) that directly outputs the updated array, while wrapping it into a Result type to explicitly capture the fact that Rust functions may panic.

In this case, the theorem states that, if the array satisfies a well-formedness invariant (ensuring it represents a valid polynomial), then running the Rust model ntt returns the well-formed representation of the result of the mathematical specification Spec.ntt, modulo conversion from low-level arrays to high-level polynomials.

Scaling this to every function in real cryptographic code required substantial automation. Lean’s extensibility lets us build a gradient of automation with tactics for symbolic execution, arithmetic, arrays, and bit-vector reasoning. The experience becomes closer to debugging: automation handles the routine proof obligations, while engineers can inspect and refine the proof when a goal does not close automatically.

Supporting intrinsics and multiple architectures

Production cryptography cannot ignore hardware. SymCrypt must run across environments ranging from embedded and kernel contexts to cloud services. It also needs to take advantage of platform-specific instructions when they are available, including SIMD intrinsics and architecture-specific optimized paths.

A verification story that only works for a portable reference implementation is therefore incomplete. We need to verify the code that actually ships: dispatch logic, optimized routines, and target-specific variants included.

The code below is adapted from the ntt_layer  function that is internally used by the NTT. This function is compiled differently for x86-64 and aarch64, allowing dynamic dispatch to target-specific or portable implementations. On x86-64, it checks the availability of SSE2 instructions, while on aarch64 it checks for Neon.

.gist .gist-meta { display: none !important; }

As rustc’s output is inherently target specific, our toolchain compiles the code several times, one per compilation target for which verification is required, before merging the corresponding models. In effect, this merge operation turns the static dispatch permitted by the cfg attributes in the Rust code into a first layer of dynamic dispatch between x86-64 and aarch64 in the Lean model. Following what the Rust code does, these target specific models then themselves dynamically dispatch to the models of the XMM, Neon, and generic implementations.

Intrinsics require a slightly different treatment. Some low-level wrappers, especially those that manipulate raw pointers or expose platform instructions, are modelled by small, carefully reviewed Lean specifications. Others can be modelled using Rust code, which can be tested against hardware reference documentation, then translated and verified. The surrounding safe Rust code is then verified against those models. This keeps the trusted surface narrow while preserving the performance benefits of hardware acceleration.

The important point is that verification does not require giving up optimization. The methodology is designed to preserve the complexities of production code – including intrinsics, dispatch, and platform-specific implementations – while still proving a single, auditable correctness statement.

Reflecting formal guarantees to the code developer

Formal verification only scales in an engineering organization if developers can understand what has been proved. It is not enough for a proof to exist in a repository; the guarantee must be visible, reviewable, and synchronized to the code that engineers maintain.

To support this, we expose verification results through automatically generated dashboards. These dashboards summarize theorems in developer-facing terms: preconditions, postconditions, covered functions, trusted models, and remaining assumptions. Engineers do not need to open Lean to see what has been verified. For instance, below is the page displayed by the dashboard for our ntt function.

Figure 2. Dashboard page for the theorem that shows the Rust function mlkem.ntt correctly implements the NTT specified in the NIST standard.

The specification clearly presents the theorem statement included in the Lean formal development: it separates the function input and preconditions from the post-condition by putting them above a horizontal line, and use fully qualified names with links to navigate to Rust and Lean definitions.

This feedback loop is especially useful for reviewing assumptions around intrinsics, target-specific code, and boundary conditions. A cryptographic developer can for example check whether the theorem fully captures what they expect their code to guarantee, and notice a formal statement is too weak, or a precondition is wrong.

The dashboards also aligns verification with continuous development. As Rust code changes, Lean models and proofs can be regenerated and replayed. When a proof breaks, that failure becomes a signal: either the implementation changed in a way that needs a proof update, or the change has exposed a real discrepancy with the specification.

This turns formal verification from a one-time research artifact into part of the engineering workflow.

Agentic proofs

The final ingredient is automation beyond traditional tactics: AI agents. Lean is well suited to this because proofs are machine-checked by a small trusted kernel. An agent may propose a proof script, but Lean independently verifies whether the proof is valid.

We use agents in two places. First, they help translate standards into Lean specifications. Because the resulting specification is executable, aligned to the original standard, tested against official vectors, supported by mathematical theorems, and much simpler than an implementation, it can be thoroughly audited even when an agent helped draft it.

Second, agents help write and maintain proofs. With the right libraries, tactics, examples, and documentation, agents can handle large amounts of proof work: unfolding generated models, applying specifications for helper functions, discharging arithmetic obligations, and repairing proofs after refactors.

This is particularly powerful because the Rust code and Lean proofs are separated. Agents do not need to annotate or modify the production Rust implementation to make a proof go through. They operate on the proof side, and the result is accepted only if Lean validates it and the final theorem states the desired guarantee without introducing unreviewed assumptions.

In practice, this changes the economics of verification. Work that previously required months of specialist effort can be accelerated dramatically. The proof engineer’s role shifts from writing every proof by hand to designing specifications, curating automation, reviewing theorem statements, and steering agents to complete their proofs.

Conclusion

Verified cryptography has often faced a difficult trade-off: the strongest guarantees came from specialized toolchains, generated code, and workflows that were hard for product teams to adopt. Rust, Lean, Aeneas, and agentic proof automation let us revisit that tradeoff.

By verifying Rust as written, deriving auditable specifications from standards, supporting optimized multi-architecture implementations, and reflecting proof results back to developers, formal verification can become part of normal cryptographic engineering rather than an after-the-fact research exercise.

That is the long-term promise: cryptographic code that remains fast, portable, maintainable, and developer-owned, while carrying machine-checked evidence that it implements the standards it is meant to realize.

Opens in a new tab

The post Verifying Rust cryptography in SymCrypt, from standards to code appeared first on Microsoft Research.

Categories: Microsoft

Verifying Rust cryptography in SymCrypt, from standards to code

Microsoft Research - Mon, 07/13/2026 - 18:00
How Rust, Lean, Aeneas, and AI agents are helping scale formal verification for production cryptographic algorithms At a glance
  • SymCrypt develops new verified cryptography using Rust, Aeneas, and Lean to provide higher security assurance.
  • We prove that their code safely and correctly implements standard algorithms, notably for post-quantum cryptography.
  • We are releasing verified code, specs, properties, and proofs initially for SHA-3 and ML-KEM. 
  • Aeneas allows verifying a large subset of Rust code and provides efficient automation in Lean to support the proof effort.
  • Agents allow scaling automation by writing proofs that are independently-verifiable.
Introduction and motivation for formal verification

Cryptographic code sits at the foundation of modern computing. It protects operating systems, cloud services, firmware, messaging systems, and the protocols that connect them. Small mistakes can have outsized consequences: a single arithmetic slip, missing bounds check, or incorrect state transition can undermine the security of an otherwise sound design.

Testing and auditing remain essential, but they are not enough on their own. Cryptographic implementations are often optimized, constant-time, architecture-specific, and deliberately low level. The code that ships rarely looks like the clean algorithm in a standard: it contains reductions, bit manipulations, SIMD intrinsics, carefully shaped loops, and portability layers for many environments.

Formal verification addresses this gap by deploying machine-checked proofs instead of relying on testing alone. Rather than merely checking that the code usually behaves correctly, verification implements a precise mathematical specification for all inputs that satisfy the stated preconditions.

In June last year, Microsoft announced we would formally verify new algorithms written in Rust in SymCrypt, the cryptographic provider used across products and services including Windows and Azure. New cryptographic implementations are being written in safe Rust, then verified in the Lean (opens in new tab) formal proof framework using the Aeneas (opens in new tab) toolchain. This applies in particular to post-quantum cryptography, which require fast secure implementations of complex algorithms. This combination gives us two layers of assurance: Rust rules out broad classes of memory-safety bugs, while Lean proofs establish functional correctness against formal specifications derived from standards.

The result is a new verification methodology for production cryptography: verify code as developers write it, preserve performance-oriented implementation choices, and make the proof process scalable enough to keep up with an evolving codebase.

Figure 1. Agents (stochastic, in blue) and tools (algorithmic, in green) for software verification. Human effort focuses on reviewing formalization of standards and main properties. Agents write proofs and intermediate properties. Compilation, code extraction, and proof verification are deterministic, not agentic. Status of verification in SymCrypt

We have open sourced a SymCrypt branch (opens in new tab) that includes formal specifications and proofs. This public branch makes the proof artifacts available alongside the Rust algorithm implementations they validate, showing how the methodology applies to production cryptographic code. SymCrypt is not a standalone research prototype; it is Microsoft’s open-source cryptographic library used across products and services including Windows and Azure Linux.

This first release includes complete proofs for the Rust ML-KEM and SHA3 code that is being used in insiders builds of Windows today. SymCrypt is extending the same Rust, Lean, and Aeneas-based workflow to more Rust-native algorithms and integrating them into production versions for Windows and Linux, including for instance verified Rust code for, e.g., AES-GCM, FrodoKEM, and ML-DSA. The rest of this post uses this SymCrypt work as a concrete example, starting with how public standards become executable Lean specifications.

Turning standards into formal Lean specifications

The first step is to formalize what the algorithm is supposed to do. For cryptographic primitives, the source of truth is usually a public standard: a NIST specification, an IETF RFC, or another carefully reviewed algorithm description.

In our approach, the Lean specification is designed to stay close to the standard. When the standard describes a loop, an array update, or a mathematical operation, the Lean model follows the same structure wherever possible. This syntactic proximity matters: it makes the formal specification easier to audit because reviewers can compare the standard and the Lean side by side.

Lean also lets us write executable specifications. That means we can run the formal model against official test vectors to catch transcription errors, off-by-one mistakes, or misunderstandings of the standard. For algorithms such as ML-KEM, we can go further and prove high-level mathematical properties, such as showing that the formal model of the number-theoretic transform corresponds to the intended operation over the relevant polynomial ring.

A representative example is the number-theoretic transform (NTT) from ML-KEM. The standard describes the algorithm as an in-place transformation over 256 coefficients modulo q, with three nested loops that update pairs of coefficients using successive powers of the constant ζ (= 17).

Here is a direct translation of the NIST standard in Lean, trying to stick as close as possible to the original syntax:

The Lean version deliberately mirrors the structure of the standard: the same loop nest, the same zeta selection, and the same coefficient updates, allowing easy line-by-line human review. At the same time, it is executable and uses mathematical types, so it can be tested against known vectors and connected to higher-level theorems about the NTT’s algebraic meaning. In summary, the Lean specification is a concise, executable, mathematically meaningful model that tracks the standard closely enough to be reviewed by cryptographers and proof engineers alike.

Connecting the formal specification to the code

Once the specification is formalized, the next challenge is to connect it to the implementation. We do not ask developers to rewrite production cryptographic code in a verification-oriented language, nor do we generate code that product teams must then own. Instead, we verify the Rust code that engineers write, exactly as they write it.

Aeneas makes this possible by translating Rust’s mid-level representation into a pure Lean model. Rust’s ownership and borrowing discipline are crucial here. They let Aeneas safely eliminate much of the reasoning about pointer aliasing, liveness, and mutation that makes verification of C-style code so expensive.

For example, a Rust function that updates an array in place becomes, in Lean, a function that explicitly takes and returns a functional array. Mutable borrows are translated into value transformations. This preserves the behaviour that matters while presenting proof engineers with a functional model that is far easier to reason about.

Once in Lean, the function can be equipped with a theorem that states that it refines a formal specification. In other words, for every input satisfying the required bounds and well-formedness conditions, the implementation function returns the same mathematical result as the standard-derived Lean specification.

This style keeps responsibilities cleanly separated. Software engineers continue to write idiomatic, performant Rust. Verification engineers work against generated Lean models and prove theorems about them. The Rust code and the proofs live side by side, but the proof burden does not shape the code into something unnatural.

Going back to the NTT example, its Rust implementation is a function fn ntt(&mut [u16; 256]) that uses a mutable borrow to update an array in-place. The Lean translation purifies it into a function ntt : Array U16 256#usize → Result (Array U16 256#usize) that directly outputs the updated array, while wrapping it into a Result type to explicitly capture the fact that Rust functions may panic.

In this case, the theorem states that, if the array satisfies a well-formedness invariant (ensuring it represents a valid polynomial), then running the Rust model ntt returns the well-formed representation of the result of the mathematical specification Spec.ntt, modulo conversion from low-level arrays to high-level polynomials.

Scaling this to every function in real cryptographic code required substantial automation. Lean’s extensibility lets us build a gradient of automation with tactics for symbolic execution, arithmetic, arrays, and bit-vector reasoning. The experience becomes closer to debugging: automation handles the routine proof obligations, while engineers can inspect and refine the proof when a goal does not close automatically.

Supporting intrinsics and multiple architectures

Production cryptography cannot ignore hardware. SymCrypt must run across environments ranging from embedded and kernel contexts to cloud services. It also needs to take advantage of platform-specific instructions when they are available, including SIMD intrinsics and architecture-specific optimized paths.

A verification story that only works for a portable reference implementation is therefore incomplete. We need to verify the code that actually ships: dispatch logic, optimized routines, and target-specific variants included.

The code below is adapted from the ntt_layer  function that is internally used by the NTT. This function is compiled differently for x86-64 and aarch64, allowing dynamic dispatch to target-specific or portable implementations. On x86-64, it checks the availability of SSE2 instructions, while on aarch64 it checks for Neon.

.gist .gist-meta { display: none !important; }

As rustc’s output is inherently target specific, our toolchain compiles the code several times, one per compilation target for which verification is required, before merging the corresponding models. In effect, this merge operation turns the static dispatch permitted by the cfg attributes in the Rust code into a first layer of dynamic dispatch between x86-64 and aarch64 in the Lean model. Following what the Rust code does, these target specific models then themselves dynamically dispatch to the models of the XMM, Neon, and generic implementations.

Intrinsics require a slightly different treatment. Some low-level wrappers, especially those that manipulate raw pointers or expose platform instructions, are modelled by small, carefully reviewed Lean specifications. Others can be modelled using Rust code, which can be tested against hardware reference documentation, then translated and verified. The surrounding safe Rust code is then verified against those models. This keeps the trusted surface narrow while preserving the performance benefits of hardware acceleration.

The important point is that verification does not require giving up optimization. The methodology is designed to preserve the complexities of production code – including intrinsics, dispatch, and platform-specific implementations – while still proving a single, auditable correctness statement.

Reflecting formal guarantees to the code developer

Formal verification only scales in an engineering organization if developers can understand what has been proved. It is not enough for a proof to exist in a repository; the guarantee must be visible, reviewable, and synchronized to the code that engineers maintain.

To support this, we expose verification results through automatically generated dashboards. These dashboards summarize theorems in developer-facing terms: preconditions, postconditions, covered functions, trusted models, and remaining assumptions. Engineers do not need to open Lean to see what has been verified. For instance, below is the page displayed by the dashboard for our ntt function.

Figure 2. Dashboard page for the theorem that shows the Rust function mlkem.ntt correctly implements the NTT specified in the NIST standard.

The specification clearly presents the theorem statement included in the Lean formal development: it separates the function input and preconditions from the post-condition by putting them above a horizontal line, and use fully qualified names with links to navigate to Rust and Lean definitions.

This feedback loop is especially useful for reviewing assumptions around intrinsics, target-specific code, and boundary conditions. A cryptographic developer can for example check whether the theorem fully captures what they expect their code to guarantee, and notice a formal statement is too weak, or a precondition is wrong.

The dashboards also aligns verification with continuous development. As Rust code changes, Lean models and proofs can be regenerated and replayed. When a proof breaks, that failure becomes a signal: either the implementation changed in a way that needs a proof update, or the change has exposed a real discrepancy with the specification.

This turns formal verification from a one-time research artifact into part of the engineering workflow.

Agentic proofs

The final ingredient is automation beyond traditional tactics: AI agents. Lean is well suited to this because proofs are machine-checked by a small trusted kernel. An agent may propose a proof script, but Lean independently verifies whether the proof is valid.

We use agents in two places. First, they help translate standards into Lean specifications. Because the resulting specification is executable, aligned to the original standard, tested against official vectors, supported by mathematical theorems, and much simpler than an implementation, it can be thoroughly audited even when an agent helped draft it.

Second, agents help write and maintain proofs. With the right libraries, tactics, examples, and documentation, agents can handle large amounts of proof work: unfolding generated models, applying specifications for helper functions, discharging arithmetic obligations, and repairing proofs after refactors.

This is particularly powerful because the Rust code and Lean proofs are separated. Agents do not need to annotate or modify the production Rust implementation to make a proof go through. They operate on the proof side, and the result is accepted only if Lean validates it and the final theorem states the desired guarantee without introducing unreviewed assumptions.

In practice, this changes the economics of verification. Work that previously required months of specialist effort can be accelerated dramatically. The proof engineer’s role shifts from writing every proof by hand to designing specifications, curating automation, reviewing theorem statements, and steering agents to complete their proofs.

Conclusion

Verified cryptography has often faced a difficult trade-off: the strongest guarantees came from specialized toolchains, generated code, and workflows that were hard for product teams to adopt. Rust, Lean, Aeneas, and agentic proof automation let us revisit that tradeoff.

By verifying Rust as written, deriving auditable specifications from standards, supporting optimized multi-architecture implementations, and reflecting proof results back to developers, formal verification can become part of normal cryptographic engineering rather than an after-the-fact research exercise.

That is the long-term promise: cryptographic code that remains fast, portable, maintainable, and developer-owned, while carrying machine-checked evidence that it implements the standards it is meant to realize.

Opens in a new tab

The post Verifying Rust cryptography in SymCrypt, from standards to code appeared first on Microsoft Research.

Categories: Microsoft

Aurora 1.5: Extending open foundation models for weather and Earth-system applications

Microsoft Research - Thu, 07/09/2026 - 18:46
At a glance
  • Aurora 1.5 is a major extension of Microsoft’s Aurora Earth System foundation model that adds 22 more weather variables relevant to energy, agriculture, transport, and climate risk, along with hourly temporal resolution and probabilistic ensemble forecasting.
  • Released as open source on GitHub with model checkpoints on Hugging Face, Aurora 1.5 enables researchers and developers to use, evaluate, and build on the model.
  • Aurora 1.5 connects open research to Microsoft Weather services, linking the model with data, infrastructure, managed access, and operational use for weather and Earth-system applications.

Aurora 1.5 is a major update to the open Aurora Earth-system foundation model, adding 22 new weather variables for a broader view of atmospheric conditions, hourly forecasts, and probabilistic ensemble forecasting. Developed by Microsoft Weather as an extension of the original model from Microsoft Research AI for Science, Aurora 1.5 shows how frontier research can move into broader use: open for researchers and developers to evaluate and extend, and designed to support customers where additional data, infrastructure, and operational assurance is needed. As climate and weather-related risks continue to affect communities, infrastructure, and economies worldwide, advances in Earth-system forecasting can help improve preparedness and decision-making.

What is Aurora?

Aurora is a foundation model for the Earth system developed by Microsoft Research AI for Science, first introduced in 2024 and published in Nature (opens in new tab) in 2025. It showed that a single model could be adapted to medium-range weather, ocean waves, atmospheric chemistry, and emerging climate applications, including high-resolution weather forecasting through fine-tuning. Its growing use has reinforced the value of an open, collaborative model that is easier to adapt, evaluate, and put to use. 

This next phase of Aurora (opens in new tab) builds on that foundation by making the model openly available for the global community to adapt, extend, and build on. 

What is new in Aurora 1.5?

Aurora 1.5 advances the broader effort to make open weather foundation models practical and scalable for organizations that rely on atmospheric and Earth-system intelligence. Alongside new variables and higher temporal resolution, Aurora 1.5 adds one of the most requested capabilities from users: ensemble forecasting. Because forecasts are sensitive to initial conditions and model uncertainty, ensembles run multiple simulations to show the range and likelihood of possible outcomes. Aurora 1.5 builds on Microsoft Research’s scientific foundation with new product engineering, cloud infrastructure, managed access, and decision-support capabilities. Together, these advances make Aurora 1.5 a valuable enterprise-grade weather solution for organizations. 

Figure 1: Illustration of the capabilities of Aurora 1.5 ensemble for predicting new impactful parameters such as total cloud cover and solar radiation. Ensemble mean and standard deviation are shown. 

The breadth update adds 22 new variables to Aurora’s original 4, including representative surface, pressure-level, wind, temperature, humidity, precipitation, and radiation fields. That broader coverage makes the model more relevant for sectors that depend on integrated Earth-system signals, from energy and agriculture to transport and resilience planning. 

The update to hourly temporal resolution enables fine-grained detail for precision operational guidance, such as the onset of precipitation, trade decisions, or a landfalling tropical cyclone. 

“Aurora 1.5 is a meaningful step toward making weather foundation models more open, useful, and practical. By releasing the model openly, we give researchers, developers, and organizations a clearer path to evaluate it, adapt it, and understand where it can help. Microsoft Weather’s role is to connect that open research foundation with the data, infrastructure, and applied workflows required by enterprises to use weather intelligence responsibly and with confidence.”

Sridhar Iyer, Corporate Vice President, Microsoft AI

video series

On Second Thought

A video series with Sinead Bovell built around the questions everyone’s asking about AI. With expert voices from across Microsoft, we break down the tension and promise of this rapidly changing technology, exploring what’s evolving and what’s possible.

Explore the series Opens in a new tab Ensemble Forecasting in Aurora 1.5 Unlocks More Confident Decisions in the Face of Weather Uncertainty

The ensemble version of Aurora 1.5 introduces stochastic perturbations to represent model uncertainty, allowing the generation of multiple forecast members to estimate the spread of possible futures. For a multitude of applications including power systems, transport, agriculture, extreme-weather planning, and climate risk, the model distribution matters as much as the best estimate. 

This ensemble capability was developed through multi-stage fine-tuning on top of the original Aurora model. After expanding the variable set and adding hourly temporal resolution, the team introduced controlled perturbations into the model’s latent conditioning pathway and optimized the ensemble for probabilistic forecast quality. A final round of auto-regressive fine-tuning on ECMWF High Resolution (HRES) analysis data from 2018 to 2023 improved rollout behavior and stability.

Figure 2. Comparing Aurora 1.5’s probabilistic forecasts with the ECMWF ensemble forecast. The shading shows relative probabilistic forecast error, using ECMWF ENS as the baseline: blue areas indicate where Aurora 1.5 performs better, and red areas indicate where it performs worse. Across upper-air geopotential, temperature, and humidity, together with five surface variables, Aurora 1.5 outperforms ECMWF ENS on 88.9% of the evaluated variable-and-lead-time targets. 

Aurora’s ensemble approach summarizes uncertainty across multiple model runs. Its probabilistic forecasts outperform those of the state-of-the-art ECWMF dynamical ensemble on 88.9% of evaluated targets (Figure 1). In evaluations on all 2024–2025 tropical cyclones, Aurora 1.5 substantially reduced track errors, including roughly one-third lower track error when comparing the ensemble median to the original Aurora. An example for the devastating Hurricane Helene shows how Aurora 1.5’s skill translates to high-impact weather applications. 

Figure 3. Hurricane Helene ensemble forecast from Aurora 1.5, showing multiple plausible storm tracks starting at 0 UTC on September 24, 2024. The probabilistic ensemble forecast envelops the verified track, effectively capturing uncertainty in the storm’s progression. Figure 4. Aurora 1.5 reduces track error relative to the original model across lead times. Ensemble mean and median tracks are used for diagnostics, with the median showing the strongest gains, reaching roughly one-third lower error by day 5. Results reflect track position only.  Beyond weather: Aurora as an Earth-system foundation

Beyond medium-range weather applications, Terradot – part of the Microsoft Climate Innovation Fund portfolio—is working with the AI for Good Lab (opens in new tab) and the Microsoft Research Accelerator on TerraNova, using Aurora-derived weather representations (opens in new tab) to estimate and optimize carbon dioxide removal from enhanced rock weathering under real field conditions. Sasankh Munukutla, Co-Founder of Terradot, highlights, “By building on Aurora, we’re significantly advancing our R&D timelines and accelerating our path towards gigaton-scale carbon removal.” This work shows how Earth-system foundation models can support climate mitigation and public-interest science beyond forecasting, including settings where rigorous evaluation and responsible deployment matter.

Aurora is also being explored with partners such as the UK Met Office, exploring how foundation models can work alongside established physics-based systems to tackle problems from weather to climate time scales. The aim is faster, more flexible forecasts that support decision-making without replacing the science behind trusted prediction. 

“Microsoft’s Aurora model is an exciting and promising tool, enabling Met Office scientists to bring their data and expertise to help solve climate problems and provide new kinds of climate information. Met Office and Microsoft scientists and engineers are working together every day to translate lessons from AI weather prediction into the climate information space, sharing expertise in data science and climate science. Aurora is a great platform for learning how to translate these tools for use in climate projection to make the AI climate models of the future.”

— Doug McNeall, Science lead for Data-Driven Climate Modelling, Met Office Hadley Centre  Connecting open models to operational use

Microsoft connects open research, product engineering, responsible deployment, and partner ecosystems so that models can move from scientific advance to evaluated operational use. As an example, Aurora began in Microsoft Research AI for Science and is now being built on for operational use by Microsoft Weather, with AI for Good helping to evaluate public-interest applications. The platform path brings Aurora into Microsoft Foundry and Planetary Computer Pro, alongside Agent skills and Azure services that connect models with geospatial data, scalable infrastructure, and applied workflows. BKW provides an early proof point: the company is using Aurora 1.5 alongside existing operational Microsoft Weather models to support energy operations where weather-dependent generation, infrastructure planning, and environmental data need to come together. 

“This collaboration demonstrates how advanced AI capabilities and robust cloud infrastructure can be applied to one of the most strategic domains — energy, where weather plays a fundamental role. In a time of accelerated transformation, it supports our ambition to operate increasingly renewable-based systems, where generation is inherently weather-dependent, and to better anticipate and manage this variability with greater confidence and precision.” 

Farhat Quiñones Yamshid, Lead, AI and Technology, BKW  From open research to broader impact

Aurora’s open-source availability is intended to help researchers, agencies, companies, and civil society evaluate, apply, and extend the model. Microsoft Weather is building on that open foundation to deliver easier access to Aurora forecasts through managed services, integrations, and responsible deployment paths for organizations that depend on weather and Earth-system intelligence.

Foundation models should complement—not replace—physics-based models and domain expertise. The opportunity is to use them responsibly, with careful evaluation and transparency, and to invite researchers, agencies, companies, and public-interest partners to test where Aurora and related Microsoft Weather capabilities can improve forecasting, planning, and climate resilience in their own settings.

About Microsoft Weather 

Microsoft Weather is the AI-based forecasting team behind weather experiences across Windows, Bing, Copilot, Edge, and MSN, reaching more than a billion devices across 180 countries. The team has been applying AI to operational weather forecasting for more than seven years and has built a proven track record of delivering high-quality forecasts at global scale. Microsoft Weather has won multiple forecasting competitions and was ranked the world’s most accurate global forecast provider by an independent third party for three consecutive years from 2022 to 2024. Building on today’s Aurora 1.5 announcement, the team plans to extend this work in the coming months with additional fit-for-purpose AI weather models designed for enterprise scenarios where forecast quality, speed, uncertainty, and operational decision support matter most.

If you are interested in exploring Aurora and Microsoft Weather solutions for commercial or organizational applications, please contact us at AIWeatherClimate@microsoft.com 

Aurora 1.5 on Microsoft Foundry Aurora 1.5 on GitHub Aurora 1.5 paper Agent Skills for adapting Aurora to new applications

Opens in a new tab

The post Aurora 1.5: Extending open foundation models for weather and Earth-system applications appeared first on Microsoft Research.

Categories: Microsoft

Flint: A visualization language for the AI era

Microsoft Research - Wed, 07/08/2026 - 18:00
At a glance
  • Polished charts from simple specs. Flint allows AI agents to reliably generate expressive, visually polished charts from simple, human-editable specifications.
  • Semantic types guide design. Flint leverages semantic data types to express meanings of data. They help the compiler choose appropriate scales, baselines, formatting, and color schemes.
  • Layouts adapt to the data. Flint automatically manages sizing, spacing, labels, and layout so charts remain readable as cardinality and density change, without explicit user configurations.
  • One spec can target multiple backends. A single Flint specification can compile to Vega-Lite, Apache ECharts, or Chart.js without rewriting the chart from scratch.
  • Built for agent workflows. The open-source project includes the flint-chart library and the flint-chart-mcp server, so agents can create, validate, and render charts directly in chat or coding environments.
Figure 1. Flint supports a diverse collection of visualizations with its simple spec, which can be rendered with visualization libraries like Vega-Lite, Echarts, and Chart.js.

Creating a good chart requires many design decisions: how dates should be parsed, whether a scale should start at zero, how values should be formatted, how much room labels need, and which colors make the data easier to read. Modern visualization libraries such as Vega-Lite, Apache ECharts, and Chart.js expose these controls, but there is a trade-off: Short specifications that rely on system defaults often produce uninspiring charts, while polished visualizations require detailed specifications with purposely chosen parameters that are often verbose, fragile, and error-prone.

This trade-off becomes sharper as large language models (LLMs) and AI agents take on more visualization work. Agents are especially prone to errors when they must manage complex, low-level specification details, and the resulting fragile code can be difficult for people to inspect, repair, or reuse. Ideally, we need something in between: a compact specification that agents can produce reliably, people can edit directly, and a system can compile into a well-designed chart.

To address this challenge, we introduce Flint (opens in new tab), a visualization intermediate language for AI-driven chart creation. Flint helps AI agents create expressive, attractive charts from simple, human-editable chart specs. Instead of requiring verbose low-level parameters for scales, axes, spacing, and layout, the Flint compiler derives optimized chart settings from the data, semantic types, chart type, and encodings. The same Flint spec can render through multiple backends, including Vega-Lite, Apache ECharts, and Chart.js.

Figure 2. Flint compiles a compact, human-editable chart specification into a complete backend-native specification and rendered visualization. In this heatmap example, the Flint spec names semantic types (period as YearMonth, newUsers as Profit) and maps fields to visual channels. The compiler derives the Vega-Lite details, including temporal parsing, axis formatting, color scale, cell sizing, legend configuration, and layout. How Flint works

Figure 2 illustrates the how the Flint compiler turns a compact chart specification into a refined heatmap.

To produce a high-quality heatmap, traditionally, we need to explicitly tell the system with low-level chart properties about how to process the period field, how to properly label MonthYear values, size individual heatmap cells, and choose a color scale that appropriately represents positive and negative newUsers values. Without these configurations, visualization libraries must guess from field names and raw values, which can lead to charts that are technically valid but potentially misleading. While they are important, hard-coding these details can be difficult and error-prone, and they make specification fragile and hard for users to understand or adapt.

In Flint, these low-level details are systematically managed, where the compiler infers them from high-level data and chart specifications. Here, the data specification captures semantic types and optional metadata, and the chart specification defines the chart type and maps fields to visual channels such as x, y, color, size, or facet. From this information, the compiler derives the parsing rules, scales, axes, aggregations, formatting, color schemes, layout, and generates the backend-native specification, which is used to render the final polished visualization. This frees users from explicitly setting fragile and error-prone low-level details.

Furthermore, because the intermediate representation is separate from any single rendering library, Flint can target backends with very different APIs and programming models. Users can keep the same compact chart intent while compiling to Vega-Lite, ECharts, or Chart.js, and choose the backend whose capabilities best fit the visualization.

PODCAST SERIES

AI Testing and Evaluation: Learnings from Science and Industry

Discover how Microsoft is learning from other domains to advance evaluation and testing as a pillar of AI governance.

Listen now Opens in a new tab Flint for AI-assisted visualization

Flint is well suited to LLM-based chart generation because semantic types are often easier for models to infer than the full set of low-level visualization parameters. Field names, value patterns, and common data knowledge can help an agent recognize whether a column represents a date, price, percentage, country, ranking, or correlation. Once those meanings are explicit, the compiler can handle many design decisions that would otherwise appear as brittle, library-specific code.

In our research study, we compared Flint with DirectVL, a baseline that asks the model to directly generate full (more complex) Vega-Lite specifications in a LLM self-evaluation pipeline. Across three tested models based on testing data from Tidy Tuesdays, Flint received higher overall LLM-judge scores: 16.27 vs. 15.91 with GPT-5.1, 16.16 vs. 15.60 with GPT-5-mini, and 15.91 vs. 15.34 with GPT-4.1. In fact, Flint has been so powerful and reliable that it is now used to power Data Formulator (opens in new tab), a Microsoft Research project for AI-assisted data analysis and visualization.

To make Flint easy for your agents to access, we also release flint-chart-mcp, a Model Context Protocol (MCP) server that allows agents to create, validate, and render charts inside a chat or coding environment. MCP calls can embed data inline or read configured local files, and the server can open an interactive chart view so users can inspect and refine the results.

Figure 3. Once you set up the flint-chart-mcp with your favorite AI client, the agent can generate interactive visualizations powered by Flint to answer your data exploration questions. Try Flint

Flint is open source and ready to use:

Flint points toward a shared semantic layer for visualization, where people and AI agents can work with compact chart intent while a compiler handles the careful low-level details. We invite the community to explore the project and build on it.

Opens in a new tab

The post Flint: A visualization language for the AI era appeared first on Microsoft Research.

Categories: Microsoft

SkillOpt: Agent skills as trainable parameters

Microsoft Research - Tue, 06/30/2026 - 18:50
At a glance
  • AI agents often fail because their instructions, or skills, are manually modified with no guarantee of improvement. SkillOpt turns skill editing into a training process, making agent behavior more reliable without changing model weights.
  • SkillOpt treats an agent skill file as a trainable parameter outside a frozen target model, turning skill writing from one-shot prompting into a controlled optimization process.
  • Across six benchmarks, seven target models, and three execution modes, SkillOpt is the best or tied-best method in all 52 evaluation cells, improving performance without updating model weights.
  • SkillOpt keeps skills compact and auditable through bounded text edits, validation gating, rejected-edit feedback, and slow/meta updates, avoiding uncontrolled prompt drift.
  • The optimized skills transfer across model scales, agent harnesses, and related tasks, suggesting that they capture reusable workflow knowledge rather than benchmark-specific instructions.

Large language models (LLMs) are increasingly deployed as agents that gather evidence, call tools, and execute multi-step tasks. For these agents, the hard problem is no longer whether they can call a tool, but whether they can complete tasks reliably and consistently. Today, agent skills typically come from three sources: experts write them by hand, a frontier model generates them one-shot, or the agent loosely revises them after execution. None of these approaches behaves like a deep-learning optimizer. They lack step-size control, held-out validation, and any memory of revisions that failed. As a result, skills tend to grow longer and drift with each rewrite, and a revision that seems perfectly reasonable can quietly degrade real task performance. This uncontrolled skill evolution has become a major obstacle on the path from agent prototype to dependable, production-grade deployment.

In our recent paper, SkillOpt: Executive Strategy for Self-Evolving Agent Skills, we reframe the question from “how do we write a better prompt?” to “how do we train the skill?” SkillOpt treats the skill file as a trainable parameter living outside a frozen target model, bringing a training-style optimization loop, consistent gains across 52 evaluation cells, and a compact skill file that stays readable, auditable, and transferable.

Figure 1. A frozen target model executes tasks while a separate optimizer model trains the skill layer from trajectory feedback, exporting the reusable skill file best_ skill.md through validation gating. How SkillOpt works Video 1. SkillOpt’s optimization loop, from trajectory collection to the exported skill file.

SkillOpt organizes skill editing as a forward–backward–update cycle in text space. In the forward pass, the frozen target model executes a batch of training tasks with the current skill; the rollout batch size controls how much evidence each update receives. In the backward pass, a separate optimizer model reads the resulting trajectories in reflection minibatches, distilling patterns to preserve from successful trajectories and patterns to correct from failures.

In the update step, the optimizer proposes small add, delete, and replace edits; candidate edits are merged, deduplicated, ranked, and clipped by a textual learning rate—a per-step edit budget. Every candidate skill must then pass a strict validation gate: it is adopted only if it scores strictly higher than the current skill on the held-out validation split. Rejected edits are not discarded; they enter a rejected-edit buffer that serves as negative feedback for later optimizer calls in the same epoch. On a slower cadence, an epoch-wise slow/meta update consolidates longer-horizon lessons that single batches cannot reveal (Figure 2). Together, bounded edits, validation gating, and best-version selection keep skill optimization controllable and auditable, so the skill converges instead of drifting.

Figure 2. The SkillOpt pipeline: trajectory collection, minibatch reflection, bounded text updates, validation gating, and epoch-wise slow/meta updates jointly constrain skill training. Consistent gains across benchmarks, models, and execution modes

We evaluated SkillOpt across six benchmarks (SearchQA, SpreadsheetBench, OfficeQA, DocVQA, LiveMathematicianBench, and ALFWorld), seven target models from frontier-scale GPT-5.5 to the small open-weight Qwen3.5-4B, and three execution modes (direct chat, Codex, and Claude Code). Counting each combination as one evaluation cell, When measured against human-written skills, one-shot LLM skills, Trace2Skill, TextGrad, GEPA, and EvoSkill, SkillOpt delivered the best or tied for -best results on all 52 cells. These performance improvements are unusually large for a method that updates no model weights. With GPT-5.5 in direct chat, SkillOpt raises the six-benchmark average from 58.8 to 82.3, a +23.5-point absolute improvement—and +5.4 points above an oracle that picks the single best competing method per cell. The largest gains appear on procedural benchmarks: SpreadsheetBench rises from 41.8 to 80.7, OfficeQA from 33.1 to 72.1, and LiveMathematicianBench from 37.6 to 66.9. The same interface carries over to agentic loops, lifting GPT-5.5 by +24.8 points inside Codex and +19.1 inside Claude Code over no skill.

PODCAST SERIES

AI Testing and Evaluation: Learnings from Science and Industry

Discover how Microsoft is learning from other domains to advance evaluation and testing as a pillar of AI governance.

Listen now Opens in a new tab A small model plus a skill file

Approaching the next model tier SkillOpt also narrows the gap between small or open-weight models and frontier models—without changing any weights or adding any extra model calls at inference. After optimization, GPT-5.4-mini’s six-benchmark average (64.3) exceeds the no-skill baseline of the larger GPT-5.4 (59.7), and GPT-5.4-nano (57.4) exceeds the no-skill baseline of GPT-5.2 (51.3). Qwen3.5-4B, a 4-billion-parameter open-weight model, surpasses GPT-5.2’s no-skill baseline as well. Gains that once required a larger model can now be approximated by one optimized skill file.

Skills that transfer: train once, reuse everywhere

The optimized skill file captures reusable task-solving procedures rather than instructions overfit to a single model, benchmark, or execution environment. This is why the same skill can still improve performance when transferred across model scales, agent harnesses, and related tasks. In our transfer experiments, skills continued to deliver gains when moved across model scales, across execution harnesses, and to a nearby math benchmark. The clearest example is cross-harness transfer: a spreadsheet skill trained inside Codex, dropped into Claude Code with no further optimization, lifts the no-skill baseline from 22.1 to 81.8 (+59.7)—slightly above the 80.4 achieved by training directly inside Claude Code. Because the two harnesses expose different tool surfaces, this suggests SkillOpt learns general workflow logic, not just harness-specific recipes.

Compact, readable, and built from very few accepted edits

The deployed artifact, best_ skill.md , is neither an opaque parameter blob nor an ever-growing log. Across six case studies, the median final skill length is roughly 920 tokens, and because the validation gate rejects most proposals, only one to four edits are accepted into the final file. OfficeQA’s +39.0-point gain comes from a single accepted edit. The learned rules read like a seasoned practitioner’s advice. Component ablations confirm that the controls do the work: removing the rejected-edit buffer lowers scores on all three ablation benchmarks, and removing both the meta skill and the slow update drops SpreadsheetBench from 77.5 to 55.0. A new adaptation layer for the agent era SkillOpt points to a lighter-weight path for domain-adapting agents: instead of fine-tuning weights, hard-coding task logic, or hand-tuning prompts, teams can train a small, versionable, auditable natural-language skill layer—wherever automatic evaluation or a reliable verifier exists.

By bringing learning rates, schedules, validation splits, rejected samples, and slow updates to agent skills, SkillOpt suggests that training need not be limited to model weights. Procedural knowledge outside the model can also be optimized.

When that process is controlled, validated, and recorded, a natural-language skill becomes a stable, transferable, and reversible adapter between frontier-model capability and real-world workloads. Read the full paper, visit the project page at aka.ms/skillopt (opens in new tab), or explore the SkillOpt GitHub repository at github.com/microsoft/SkillOpt (opens in new tab). Teams building agentic workflows can use SkillOpt as a foundation for training reusable skills against their own tasks and verifiers. See also our companion project, SkillLens.

Paper GitHub SkillLens Project Page Opens in a new tab

The post SkillOpt: Agent skills as trainable parameters appeared first on Microsoft Research.

Categories: Microsoft

Memora: A Harmonic Memory Representation Balancing Abstraction and Specificity

Microsoft Research - Mon, 06/29/2026 - 23:14
At a glance
  • Today’s AI agents don’t remember past interactions. They must repeatedly be fed relevant information or retrieve it from external sources, which becomes less efficient as they handle longer and more complex tasks. To scale agent capabilities, we need a more efficient way to retain and access information over time.
  • Memora is a scalable memory system that dramatically increases agent productivity on long-horizon tasks by decoupling what is stored (rich memory content) from how it’s retrieved (lightweight abstractions and cue anchors), balancing abstraction and specificity.
  • Memora sets new state-of-the-art on LoCoMo and LongMemEval, outperforming Mem0, RAG, and full-context inference while using up to 98% fewer context tokens.
  • Memora paper (opens in new tab) is published at ICML 2026. Memora code is available at https://github.com/microsoft/Memora (opens in new tab).

Imagine a workplace AI assistant helping you run a multi-month project. Over weeks of conversations, you share constraints, agree on milestones, revise deadlines, and surface dozens of stakeholder preferences. When you later ask it to draft an update for a colleague, it should recall not just the latest decision but the journey that got you there: what was tried, what was ruled out, who weighed in. Today’s AI agents struggle with this. Modern large language models (LLMs) are powerful reasoners, but they are effectively stateless: every session starts from zero, every long conversation forces the model to re-read its entire history, and every new piece of information is either stored as raw text (fragmented and noisy) or compressed into a vague summary (precise details lost). As AI assistants and autonomous agents move into long-horizon deployments, such as copilots that track a project for many months or even research agents that build up domain expertise with long horizon usage, the absence of principled memory system has become the critical bottleneck.

A growing line of work has begun to fill this gap. Systems like Mem0 extract atomic facts from conversations; retrieval-augmented (RAG) approaches index raw text fragments for later recall; and graph-based memory systems such as Zep and GraphRAG impose structure through entity relations. Each represents real progress, yet each runs into the same wall: existing designs force an unavoidable tradeoff between specificity (preserving fine-grained detail) and abstraction (organizing memory efficiently as it grows). Memora is built to give agents both.

What is Memora

Memora is an agentic memory framework designed for long-horizon AI agents. Memora’s central insight is to decouple what is stored from how it is retrieved. Memory content can remain rich and expressive, such as a project timeline, a multi-turn discussion about constraints, while a separate, lightweight structural layer handles indexing and retrieval. The result is a memory system that scales: it consolidates related information into stable units, surfaces fine-grained details when they matter, and lets the agent navigate its own history without re-reading everything. On standard long-conversation benchmarks, Memora sets new state-of-the-art performance while using up to 98% fewer tokens than would be consumed by dumping the full history into context.

Why this is hard: the abstraction–specificity tension

Existing memory systems fall into two extremes. Content-fragmentation systems, such as RAG and Mem0, embed extracted facts or text fragments directly. This preserves detail but produces brittle, isolated entries that lose narrative coherence. Coarse-abstraction systems compress experience into compact summaries. They are efficient, but summarization strips away the constraints, edge cases, and numeric details that make memory useful in the first place. Graph-based systems add structure on top of content, yet still rely on the content itself for retrieval and typically require rigid ontologies that don’t generalize across domains. None of these resolves the underlying tension between abstraction (which keeps memory efficient) and specificity (which gives memory utility).

Figure 1: Architecture overview of Memora. How Memora works

Memora resolves this tension through a harmonic organization. Each memory entry has two components: a primary abstraction, which a short phrase (6–8 words) that captures what the memory is fundamentally about, and a memory value holding the rich content itself. Crucially, only the primary abstraction is embedded for similarity search; the value is never directly retrieved through its own content. This separation means new information about an evolving topic merges into the existing memory entry under the same primary abstraction, rather than fragmenting into a chain of partial duplicates. Complementing primary abstractions, cue anchors are short, context-aware tags extracted from each memory’s value, providing alternative access paths to the same memory. They function as flexible, organically-generated metadata.

To make this concrete: suppose a user says, “Dave and Sarah agreed to push the prototype to April 1, the pilot to May 2, and the MVP to May 30.” A knowledge-graph system would need predefined entity types and relation schemas: Person → agreed_on → Milestone → has_date → Date, and any new relation type would require schema extension. In Memora, the primary abstraction Updated Project Orion timeline agreed by Dave and Sarah serves as the canonical access point, while cue anchors like Dave Project Orion update, Project Orion prototype schedule, and Project Orion pilot timeline provide alternative retrieval paths — all without committing to an ontology. A later query about Dave’s recent contributions, or the prototype schedule, or pilot timing can all route to the same underlying memory through different cues, with the full detail preserved in the memory value.

On top of this representation, Memora introduces a policy-guided retriever that treats memory access as an active reasoning process. Rather than returning the top-k semantically similar items in a single shot, the policy retriever iteratively refines its query, expands through cue anchors to surface related-but-not-similar memories, and decides when to stop. This lets the agent navigate to relevant non-local context that pure semantic search would miss, chasing multi-hop dependencies the way a human would when recalling connected events. The retrieval policy can be either hand-prompted with a strong LLM or distilled into a much smaller model via reinforcement learning.

Spotlight: AI-POWERED EXPERIENCE

Microsoft research copilot experience

Discover more about research at Microsoft through our AI-powered experience

Start now Opens in a new tab Results Figure 2: Memora performance on LoCoMo dataset.

We evaluate Memora on two long-context benchmarks: LoCoMo, where dialogues average 600 turns, and LongMemEval, with 115,000-token contexts. Memora achieves new state-of-the-art performance on both: 86.3% LLM-judge accuracy on LoCoMo and 87.4% on LongMemEval, outperforming RAG, Mem0, Nemori, Zep, LangMem, and even full-context inference. The gap is largest on multi-hop reasoning, where Memora’s ability to traverse cue anchors pays the biggest dividends. The efficiency story is just as striking: Memora stores roughly half the memory entries per conversation that Mem0 does (344 vs. 651) and reduces token consumption by up to 98% relative to full-context inference. Less to read, less to store, better answers.

Looking forward

Memora’s design has implications beyond benchmark performance. We see this work as a step toward AI agents that can sustain long-term collaboration with users and accumulate organizational knowledge over months and years, not just within a single session. Building on this foundation, we are pursuing several complementary directions. MemLoop explores how memory systems can learn from retrieval and task failures, attribute errors to specific stages of the memory pipeline, and improve themselves over time. Deferred Memory investigates when memory construction should be postponed until sufficient context, evidence, or future utility becomes available, rather than committing prematurely to what should be stored. Group Memory examines how knowledge can be shared across teams and agents while preserving provenance, access boundaries, ownership, and sensitive context. We release our code alongside the paper and invite the community to build on this representation and explore what becomes possible when AI agents are no longer stateless.

Acknowledgements

We would like to thank Shantanu Dixit (Research Fellow) Paramaguru Harimurugan (Research Fellow), Rujia Wang, Victor Rühle, and Robert Sim for contributing to this project.

Opens in a new tab

The post Memora: A Harmonic Memory Representation Balancing Abstraction and Specificity appeared first on Microsoft Research.

Categories: Microsoft

Understanding the brain with AI-driven explanations and experiments

Microsoft Research - Thu, 06/25/2026 - 18:00
At a glance
  • LLM-based models can predict the human brain’s responses to language with high accuracy. But what drives that performance is essentially unreadable: a vast collection of learned parameters, not scientific theories anyone can read.
  • Generative causal testing (GCT), developed in a collaboration between Microsoft Research, the University of California, Berkeley, the University of California, San Francisco, and Columbia University, distills these brain-prediction models into short verbal explanations of what each patch of cortex responds to: phrases like “food preparation” or “location names.”
  • GCT then closes the loop: an LLM writes new stories designed to activate a targeted brain area, subjects hear them in the scanner, and the region lights up only if the explanation is right.
  • In experiments, GCT confirmed known selectivity, teased apart neighboring place-processing regions long thought interchangeable, and revealed tiny prefrontal “micro-regions” tuned to specific concepts like dialogue, clock times, and measurements.
The explainability problem in language neuroscience

Over the past decade, LLMs have become the most accurate tools we have for predicting how the human brain responds to language. Feed an LLM the same story a person hears in an fMRI scanner, and the model’s internal representations can predict the activity of individual patches of cortex with remarkable fidelity. But this success comes with a catch: nobody can read these models. They are millions of inscrutable parameters that can’t be directly translated into interpretations. A model that predicts brain activity tells us that a region responds to language, but not what it is actually picking up on, whether it’s food, places, numbers, or something else entirely. As black-box models spread, the gap between prediction and understanding has become one of the central problems in computational neuroscience.

Turning black boxes into testable theories

In a new paper accepted in Nature Neuroscience, Microsoft Research scientists, in collaboration with scientists at the University of California, Berkeley, University of California, San Francisco, and Columbia University, introduce a framework to overcome this explainability crisis: generative causal testing (GCT). GCT distills brain-prediction models into short, readable accounts of what each patch of cortex responds to, then tests those claims. An LLM writes new stories engineered to activate a specific brain area, subjects hear them in the scanner, and if the explanation is correct, the targeted region lights up. The result is a method that translates uninterpretable predictive models back into the currency of science: concise hypotheses that can be confirmed or refuted in a follow-up experiment. An LLM writes new stories engineered to activate a specific brain area, subjects hear them in the scanner, and if the explanation is correct, the targeted region lights up. The result is a method that translates uninterpretable predictive models back into the currency of science: concise hypotheses that can be confirmed or refuted in a follow-up experiment.

Figure 1. The two steps of generative causal testing (GCT). In Step 1, the phrases that most strongly drive a brain region’s predictive model are summarized by an LLM into a short candidate explanation, such as “food preparation.” In Step 2, an LLM writes new stories designed to match that explanation, and the region’s response to these “driving” stories is measured in the scanner and compared against baseline.  How GCT works

GCT has two steps: explanation, then verification. To generate an explanation, the method starts from a predictive model for a single voxel or region and identifies the short phrases that most strongly drive its predicted response. An LLM then summarizes those words into a concise verbal explanation, often a single phrase such as “food preparation” or “location names.”

The crucial second stage closes the loop. To build trust in the explanation, GCT uses an LLM to write new stories in which each paragraph is carefully constructed to drive a brain region according to its explanation. Three subjects returned to the scanner to read these synthetic stories. If a region’s activity to its “driving” paragraphs was significantly greater than to baseline text, the explanation passed a genuine causal test, not just a correlational one.

Across all three subjects, the core approach held up: the synthetic stories reliably drove their target regions above baseline, confirming that GCT’s short explanations capture something the cortex genuinely responds to. The explanations were also most trustworthy where the underlying brain-prediction models were strongest (the more stable the model, the more reliably its explanation could be confirmed in the scanner). With the method validated on regions whose selectivity was already known, the researchers turned GCT on harder questions.

Figure 2. Brain response maps to GCT stories for different topics. Some maps recover well-established findings: the explanation “Locations” produces strong responses in the place areas RSC, OPA, and PPA. Others independently confirm newer hypotheses: “Food Preparation” activates a region in ventral occipital cortex near the fusiform face area (FFA). Some like (“Birthdays”) do not map cleanly onto any known result, pointing toward directions for future research.

GCT also proved sharp enough to settle long-standing ambiguities. Three neighboring regions involved in processing places have often been treated as functionally similar: the retrosplenial cortex (RSC), the parahippocampal place area (PPA), and the occipital place area (OPA). At first, stories written for one region also activated the others. But by generating differential stimuli (stories designed to switch one region on while keeping its neighbors quiet), GCT teased the three apart. For example, RSC responds more strongly to proper noun location names, like Tokyo or Connecticut, rather than general location. This is the kind of nuanced, region-specific theory that a raw predictive model cannot provide on its own.

Beyond known regions, the authors discovered new prefrontal “micro-regions.” By scanning a grid of candidate locations and keeping only the most stable ones, GCT surfaced these previously unmapped regions tuned to remarkably specific concepts: one selective for dialogue between people (words like “said” or “told”), one for mentions of clock times (“one o’clock”), and one for numeric measurements (“50 feet”). These are distinctions no one had gone looking for; they emerged because the method could propose a hypothesis and immediately test it.

video series

On Second Thought

A video series with Sinead Bovell built around the questions everyone’s asking about AI. With expert voices from across Microsoft, we break down the tension and promise of this rapidly changing technology, exploring what’s evolving and what’s possible.

Explore the series Opens in a new tab Implications and looking forward

The significance of GCT reaches well beyond neuroscience. Researchers increasingly face the same dilemma: a model that predicts beautifully but explains nothing. GCT shows that a data-driven model need not be the end of inquiry; it can be distilled into a readable, experimentally testable theory, and that theory can be checked against reality by generating new experiments on demand.

For neuroscience specifically, GCT points toward a faster, more hypothesis-rich way of mapping the cortex—one where an AI system proposes what a brain region might encode and a closed-loop experiment confirms or rejects it within a single study. The same generate-and-verify philosophy could extend to other domains where powerful predictive models have outrun our ability to understand them. The broader lesson is hopeful: the rise of black-box models in science does not necessarily mean the retreat of human-readable theory. With the right framework, the two can advance together.

Acknowledgements

This work was a collaboration across Microsoft Research, UC Berkeley (Alex Huth, Bin Yu, Sihang Guo, and Aliyah Hsu), Columbia University (RJ Antonello, co-lead), and UCSF (Shailee Jain). We also thank the study participants and the broader language-neuroscience community whose tools and datasets made this research possible.

Read the paper (opens in new tab): “Generative causal testing to bridge data-driven models and scientific theories in language neuroscience,” accepted in Nature Neuroscience and the code on Github (opens in new tab).

Opens in a new tab

The post Understanding the brain with AI-driven explanations and experiments appeared first on Microsoft Research.

Categories: Microsoft

Talos: Scaling rare disease diagnosis with automated, iterative genomic reanalysis

Microsoft Research - Wed, 06/24/2026 - 16:00
At a glance
  • Talos is an open-source tool for automated, iterative reanalysis of genomic data in rare disease. It efficiently re-examines stored sequencing data as scientific knowledge evolves and flags variants with newly actionable evidence.
  • Talos is tuned for a low false-positive rate: across a validation set of nearly 1,100 patients, it recovered 90% of in-scope diagnoses while flagging only 1.3 candidate variants per patient for expert review. This is essential to making reanalysis sustainable at scale.
  • Deployed across a prospective cohort of almost 5,000 undiagnosed patients, Talos delivered 241 new diagnoses (5.1% additional yield). An average of only 32 days passed between supporting evidence becoming public and the resultant diagnosis.
  • On monthly iterative cycles, analysts only needed to review one new variant per 200 patients, demonstrating that frequent, systematic reanalysis can be run sustainably.
Why genome reanalysis matters

Genomic testing has transformed the diagnosis of rare disease, but even with this advancement, more than half of patients remain undiagnosed after their first test. This is because our knowledge of the genome is still incomplete. Researchers are learning more every day about the function of specific genes and how they relate to disease.

However, unlike most diagnostic investigations, genomic data has a unique property: it can be stored and reexamined indefinitely. Because our understanding of the genome improves constantly, simply rerunning the analysis later can yield a diagnosis that was impossible to make the first time. This is because there are hundreds of new gene–disease associations and thousands of new variant classifications reported every year.

Reanalysis of the genomes of undiagnosed patients is the solution; a meta-analysis of nearly 9,500 undiagnosed patients found that reanalysis lifted diagnostic yield by about 10% over roughly two years. However, the problem is that reanalysis today is overwhelmingly manual. It depends on motivated clinicians, scarce laboratory staff, and inconsistent reimbursement, so the vast majority of stored genomes are never revisited and the data keep accumulating. Automation has long been proposed as the answer, but the developers of automated machinery must navigate hard trade-offs between sensitivity, specificity, how many candidate variants a human must review, and how often the analysis is rerun.

Talos (opens in new tab), developed through a collaboration spanning the Centre for Population Genomics, Australian Genomics, the Broad Institute, and Microsoft, was built to resolve those trade-offs and to demonstrate, at international scale, that systematic reanalysis is both feasible and valuable. We have recently published a journal article (opens in new tab) detailing how Talos functions and evaluating its performance on multiple rare disease cohorts.

How Talos works

Talos re-interprets a patient’s existing variant calls against the latest community knowledge each time it runs. It draws on two continuously updated public resources: PanelApp Australia (opens in new tab) for gene–disease relationships and modes of inheritance, and ClinVar (opens in new tab) for variant-level pathogenicity. It then applies a variant-prioritization algorithm designed to surface variants most likely to meet ACMG/AMP criteria for clinical reporting.

Figure 1 – Talos overview. Talos operates in multiple stages, first collecting unchanging information about genetic variants and the patients who possess them, then applying up to date knowledge to filter and prioritize variants that are likely to be clinically relevant, then finally surfacing those variants to clinicians alongside supporting evidence. 

The pipeline uses newly discovered information to tag and filter variants, then refines the candidate set using family structure (for example, mode of inheritance and de novo status) and, when available, the patient’s phenotype. Talos can be used to interpret single-nucleotide variants, small insertions/deletions, copy number variants, and large structural variants from exome or genome data.

Two design choices distinguish Talos. First, it is deliberately conservative, optimized to return a small set of high confidence variants rather than a long ranked list, because in real-world genomic reanalysis the limiting factor is human review time, not algorithmic recall. Second, on repeat runs, Talos returns only variants whose supporting evidence has changed since the previous cycle, allowing clinicians to focus exclusively on findings that aregenuinely new.

Validated against expert manual analysis

We benchmarked Talos on two independent cohorts that had already undergone careful manual analysis: the Australian Acute Care Genomics (ACG) cohort of critically ill infants and children, and the U.S.-based Rare Genomes Project (RGP) cohort of families with prior uninformative testing. This included 1,089 probands in total.

On ACG trios, Talos recovered 90% of in-scope diagnoses while returning a median of just 1.3 candidate variants per family. The diagnoses it missed were largely a direct consequence of its conservative strategy, for example, recessive variants lacking ClinVar support that human analysts had classified using trans configuration or functional studies.

Crucially, Talos held the same operating point on the very different RGP cohort, agroup of families who had previously had uninformative clinical testing, with probands ranging up to 82 years of age. On RGP trios, it recovered 87% of in-scope diagnoses (47 of 54) at a median of 1.3 candidate variants per trio, showing generalizability across cohorts.

We then benchmarked head-to-head against Exomiser, a widely used prioritization tool. Talos matched its overall sensitivity for small variants, but at a very different operating point: Exomiser ranks and returns a broad list, while Talos returns a short, highly specific one. In a paired comparison, the two tools were statistically indistinguishable when all of Exomiser’s ranked variants were reviewed, but Talos came out significantly ahead once review was limited to a realistic budget—the top five (p = 0.017) or top one (p < 0.0001) ranked variants. Notably, the two tools surfaced different variants, so they are complementary and should ideally be used together in diagnostic workflows.

video series

On Second Thought

A video series with Sinead Bovell built around the questions everyone’s asking about AI. With expert voices from across Microsoft, we break down the tension and promise of this rapidly changing technology, exploring what’s evolving and what’s possible.

Explore the series Opens in a new tab Deployed on an international scale

The experiment we were most excited about was a tested-but-undiagnosed cohort of 4,735 individuals, drawn from Australian Genomics research studies and a single diagnostic laboratory. Most patients were singletons with neurodevelopmental, cardiac, renal, and/or neurological indications.

Talos produced 241 new diagnoses in 238 individuals—a 5.1% additional yield, with every single likely-causative variant subsequently confirmed as pathogenic or likely pathogenic by accredited labs.

The sources of those diagnoses illustrate why reanalysis is such a powerful paradigm:

  • 32% came from new gene–disease relationships discovered since the original test,
  • 22% came from new variant-level evidence (reclassifications), and
  • 45% came from improved filtering and analysis—including variant types such as CNVs and structural variants not examined originally, phenotype filters that had been set too narrowly, and other sources.

Yield was consistent across clinical areas (roughly 5–6% for neurodevelopmental, cardiac, and renal indications) but the reasons differed: new gene associations and CNVs dominated neurodevelopmental diagnoses, while variant reclassification drove most cardiac ones. Genome data outperformed exome (6.1% vs 4.8%), partly by reaching non-coding diagnoses such as RNU4-2 and a deep-intronic MRPL39 variant. A recurring theme was the lag in conventional knowledge bases: 59% of the new gene–disease diagnoses were not yet curated in OMIM at the time of reanalysis, underscoring the value of drawing on a rapidly updated resource like PanelApp Australia.

From a one-off event to a continuous program

We then ran Talos for 29 monthly iterative cycles. Most diagnoses (92%) came on a cohort’s first pass, but the iterative design proved its value on two fronts. First, it demonstrated the scalability of ongoing reanalysis: because later cycles return only newly actionable evidence, they surfaced an average of just one variant per 200 cases over the program. Second, it showed how quickly we can move from scientific discovery to diagnosis: on average just 32 days passed between new knowledge appearing in a public database and a patient receiving a diagnosis, with the fastest case turning around in a single day. Figure 2 provides timelines for three example patients showing how continual reanalysis can bring answers to families within weeks of new scientific findings. The whole pipeline is cheap enough to run continuously: annotating 1,000 genomes cost about $11, and a monthly reanalysis pass ran for a few cents per cohort.

Figure 2 – Diagnostic odyssey for three example patients. Each patient spent years after genetic sequencing waiting for a diagnosis. For Patient 1, the scientific discovery enabling their diagnosis happened one month after their testing, but no diagnosis was made until the first time their genetic data was reanalyzed using Talos. For patients 2 and 3, diagnoses were made within a month of the relevant scientific findings because the patients were already in the reanalysis pipeline.  Looking ahead

Talos reframes genomic reanalysis from a rare, labor-intensive event into a continuous, automated program that can keep pace with the science. By optimizing for specificity, it respects the real bottleneck of expert reviewer time, and by drawing on openly shared, frequently updated resources like PanelApp Australia and ClinVar, it turns the global community’s accumulating knowledge into diagnoses for individual patients, often within weeks.

We believe we’ve established a foundational capability, and we’re excited to see how the community builds on it. In particular, as more advanced AI models for understanding and predicting the consequences of genetic variation become available, we’re looking forward to leveraging them in the reanalysis of unsolved rare disease cases.

Talos is open source and straightforward to deploy in cloud environments like Azure. Our results offer a practical blueprint for health systems aiming to deliver frequent, scalable reanalysis to the many patients still searching for diagnoses.

GitHub Nature Publication Opens in a new tab

The post Talos: Scaling rare disease diagnosis with automated, iterative genomic reanalysis appeared first on Microsoft Research.

Categories: Microsoft

Ire identifies another LOTUSLITE specimen

Microsoft Research - Fri, 06/12/2026 - 22:30
At a glance
  • Project Ire identifies a LOTUSLITE variant that shares TTPs (tools, tactics, procedures) with the public family but none of its indicators of compromise (IOC). 
  • The LLM-driven agent produces a function-by-function behavioral report on the sample without any user interaction to determine whether it is malicious.
  • The binary names a threat actor in cleartext; the agent declines to attribute and instead focuses on statically analyzing the behaviors.

We pointed Project Ire, Microsoft’s autonomous malware-classification agent, at a malware sample—blind—and asked for a verdict. The sample is a variant of LOTUSLITE, a Windows DLL backdoor recently documented by Acronis. Our copy’s hash isn’t in their IOC list, and as of June 4, most major EDRs (CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, ESET) still don’t flag it as malware. Ire produced a function-by-function behavioral report—install routine, C2 packet layout, command IDs, persistence mechanism, obfuscation—that lines up with Acronis’s published analysis. One decompiler-based run, no human priors.

This is what behavioral, agentic reverse engineering can achieve when signature matching and manual inspections fall short. Variants that share TTPs but not indicators of compromise (IOC) get caught instead of slipping past signature lists. Novel malware classification is a domain with no automatic validator, requiring in-depth investigation and holistic understanding of the software’s behaviors to surface and determine intent. Ire operates without context: no origin metadata, no telemetry, no analyst prompt. It invokes decompilers and binary-analysis tools, builds an auditable chain of evidence, and reaches a malicious-or-benign verdict.

Acronis’s Threat Research Unit (TRU) published a writeup (opens in new tab) on LOTUSLITE, a DLL backdoor delivered through a politically themed ZIP, sideloaded through a renamed Tencent KuGou launcher. They attribute it to Mustang Panda at moderate confidence based on infrastructure overlap and the loader/DLL split. Hunting on VirusTotal for samples whose behavior matched the report, we surfaced one whose SHA-256 doesn’t appear in Acronis’s IOC list.

The sample: 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 (opens in new tab). When we picked it up on May 28, VirusTotal showed 1 of 72 vendors flagging it.

Figure 1. File Sample 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 detection state on VirusTotal on May 28, 2026.

A week later, that rose to 7 of 70. The cluster: Microsoft Trojan:Win32/Malgent!MSR, Kaspersky HEUR:Trojan-Dropper.Win32.Dorifel.gen, Rising Dropper.Dorifel!8.31E (CLOUD), Cynet (score 100), Elastic (moderate confidence), Kingsoft, TrendMicro-HouseCall. With Microsoft now flagging, VT’s popular threat label has shifted to dropper.dorifel / malgent. CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still miss it. VT lists the file type as pedll (PE DLL) and the filename as SmartPrintScreen.Print.

Figure 2. File Sample 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 detection state on VirusTotal on June 4, 2026.

We analyzed the sample with Ire, using only its decompiler-based tools through a single tool call. Ire’s verdict was “malicious”; you can review the complete report on Github (opens in new tab).

On Ire’s calibration

One noteworthy observation in Ire’s report (opens in new tab) is worth highlighting first. Ire flagged the nfapi::nf_unRegisterDriver and NetFilter naming as suspicious but explicitly did not claim active packet interception. The function in question writes the Run key; it does not install a driver. This is where LLM-driven analysis can go wrong: suggestive strings can steer the verdict. A function called nf_unRegisterDriver sounds like it does kernel-level work, and a less thorough agent would write that into the report. Downstream defenders would then chase a phantom, building detection rules for behavior that may or may not be there. Ire flagged the misleading name and considered the behavior as one piece of the evidence during its final adjudication of malice.

Comparing the two reports Acronis specimenOur sampleSample typeloader EXE + kugou.dllthe malicious DLL itself: AMPV.dll (VT type pedll)Install dirC:\ProgramData\Technology360NB\C:\ProgramData\SmartPrint\Installed exeDataTechnology.exeSmartPrintScreen.exeRun-key valueLite360DadaBankMarker arg–DATA–DaDaBarC2 magic0x8899AABB0xB2EBCFDFLurepolitically themed ZIP, Venezuela-themed launcherfake “PDF corrupted” message boxMustang Panda linkinfra and TTP overlap, moderate confidence (Acronis’s call)not independently assessed; binary contains the literal string BelievemeIamMustang-Panda

Comparing Ire’s output with Acronis’ report, the sample we analyzed matches the behavioral profile of the LOTUSLITE family of malware. Both show a loader/DLL split, HTTPS C2 carrying a custom binary protocol with a magic DWORD, interactive shell over pipes, directory enumeration, file primitives, chunked upload, HKCU persistence, and traffic camouflaged as Google and Microsoft services. The surface details differ—filenames, paths, magic value—but the underlying behaviors align. Ire correctly identified this sample as part of the same family of malware because of the behaviors it was able to identify through decompilation and reverse engineering, not on string match alone.

Because the sample is a DLL (pedll per VT), the sample’s install routine reads differently than it might look at first. The DLL copies two files into C:\ProgramData\SmartPrint\: the loader EXE that sideloaded it (its host process, obtained via GetModuleFileName(NULL), written as SmartPrintScreen.exe) and itself (AMPV.dll, the analyzed sample). The Run key points at the loader with –DaDaBar. On the next logon, the loader runs and sideloads AMPV.dll from the install path. This is the same Acronis-identified pattern but with different filenames.

This also explains the binary’s strange export surface. The DLL exports a long list of banking and QR-themed names (Query_Bank, BankSepah_Iran, BankToman_BMI, BankofChina, qrBankInit, JpgSymbolToBMP, and others), most of which resolve to a message box or ExitProcess. The shape suggests a hijacked banking/QR SDK shell, repurposed so the host EXE can call any one of those exports via GetProcAddress and reach the LOTUSLITE entry point. Acronis names theirs DataImporterMain. The Ire report does not surface a matching entry-point name, but it identifies that the behavioral shape is the same.

Acronis attributes the malware family to Mustang Panda at moderate confidence based on infrastructure and TTPs we don’t have access to, while our sample directly contains a literal actor-name string “BelievemeIamMustang-Panda” with no obfuscation. A string isn’t direct proof of authorship; it could be a developer artifact, a trophy, or a deliberate plant. While we are not making an attribution call, we note that the binary names the same actor that Acronis named through other means, and we leave the question open. Another consideration to make for this finding: a string like this can function as adversarial input to LLM-driven analysis, biasing the verdict.

video series

On Second Thought

A video series with Sinead Bovell built around the questions everyone’s asking about AI. With expert voices from across Microsoft, we break down the tension and promise of this rapidly changing technology, exploring what’s evolving and what’s possible.

Explore the series Opens in a new tab Why this matters

Ire statically reverse-engineers binaries and identifies the behavior from the function to the system level to describe what the software does and determine a verdict. The verdict of this sample came from a single Ire run because of the specific detail Ire was able to surface: function roles, packet layout, command IDs, persistence registry keys, and decoy strings. Ire never named LOTUSLITE in its report or chain of evidence. The family mapping is ours, after the fact, comparing Ire’s report against Acronis report. Ire described the behavior precisely enough to make the mapping straightforward of this sample to LOTUSLITE.

Stay up to date on the latest findings and other interesting sample detections from Project Ire by following along on our project page.

View Ire’s system output report Opens in a new tab

The post Ire identifies another LOTUSLITE specimen appeared first on Microsoft Research.

Categories: Microsoft

Data Formulator 0.7: AI-powered data analytics for enterprise data

Microsoft Research - Thu, 05/28/2026 - 18:00
At a glance
  • Data Formulator 0.7 is an open-source AI-powered system for enterprise data analytics that combines data connectivity, agent-guided exploration, and visualization refinement in a shared workspace.
  • It includes a Data Connectors feature, which supports governed, reusable connections across databases, warehouses, BI systems, object stores, and local files, reducing integration work for platform teams.
  • Context-aware agents help users prepare data, explore analyses, generate visualizations, and navigate long-running and branching analytical workflows.
  • An interactive, multimodal interface allows teams to iteratively explore and refine analyses across fragmented data sources, with no SQL or programming expertise required.

Enterprise teams increasingly rely on AI systems for analytics, but enterprise data workflows are often fragmented across storage systems and tools. Before analysis can begin, teams often need to establish governed connections, prepare metadata, manage permissions, and build workflows for combining and reshaping data across multiple systems.

Beyond data connection, analysis itself remains challenging for analysts and domain experts, many of whom lack deep coding expertise. They frequently need to compute new metrics, compare different ways of organizing data, inspect intermediate outputs, and refine visualizations as needs evolve. These workflows are difficult to reproduce inside isolated chat interactions that lack persistent access to enterprise data, workflow history, and visualization context.

Our new release, Data Formulator 0.7 (opens in new tab), is designed to address these challenges. It is an open-source AI-powered data analysis system that connects fragmented enterprise data and iterative analytical workflows. It provides a lightweight way to connect across a variety of data sources, context-aware agents that assist with data preparation, exploration, and visualization, and an interactive workspace where users can iteratively refine and share their analyses.

Spotlight: Event Series

Microsoft Research Forum

Join us for a continuous exchange of ideas about research in the era of general AI. Watch the latest episodes on demand.

Watch on-demand Opens in a new tab Connecting enterprise data with Data Connectors

Data Formulator helps teams bring enterprise data into an AI-ready workspace without needing to rebuild the same connections for every source of data. The Data Connectors feature supports authentication, persistent connections, previews, metadata, and a unified workspace model across databases, warehouses, BI systems, object stores, and local files. This reduces integration work for platform teams and allows users to work from centrally managed, reusable data connections rather than relying on repeated manual file uploads, as shown in Figure 1. 

Figure 1. Data Connectors provide persistent connections between enterprise data sources and Data Formulator, allowing analysts and AI agents to load, query, and visualize shared data. Context-aware agents for data analysis

Context-aware AI agents form the core of Data Formulator. Unlike a single prompt, Data Formulator gives agents access to the full analysis workspace, including connected data sources, loaded tables, prior charts, and the user’s objective. Agents reason and act through tools rather than text alone. In a single interaction, an agent can inspect data, write and run code in an isolated environment, generate chart specifications, and explain its results while showing intermediate steps.

When a request is ambiguous, the agent asks clarifying questions before proceeding. This allows agents to carry out more complex analytical workflows: aligning analyses with the user’s goal, preparing and transforming data, suggesting follow-up questions, generating tables and charts in batch, and creating verifiable, reproducible code for every result.

A workspace for iterative data analysis

Data Formulator pairs these agents with a multimodal interface designed for open-ended analysis workflows. Users work with agents through the Data Thread, a structured chat that records every question, intermediate finding, and chart throughout the analysis process. Long sessions stay navigable: users can revisit earlier steps, branch into alternative analyses, and compare them side by side without losing context.

As illustrated in Figure 2, the interactive canvas complements Data Thread by allowing users to directly edit visualizations. When users shift from exploration to communication, they can refine charts directly on the canvas or describe changes in natural language and let the agent adjust labels, annotations, layout, color, and emphasis. Analysts can also generate reports and share their findings with others.

Figure 2. (Left) Data Thread allows users to interact with AI agents by asking questions, requesting data visualizations, and exploring follow-up analyses. Threads preserve the history of long analysis sessions, making it possible to revisit, reuse, and build on earlier work. (Right) The interactive canvas allows users to refine visualizations directly by adjusting settings, redesigning charts, and inspecting the underlying data and code side by side.

View the Data Formulator demo here (opens in new tab), or explore the Data Formulator GitHub repository (opens in new tab). Teams developing analytics workflows for enterprise data can use the project as a foundation for adapting these capabilities to their own systems and requirements.

Opens in a new tab

The post Data Formulator 0.7: AI-powered data analytics for enterprise data appeared first on Microsoft Research.

Categories: Microsoft

Extending Human Intelligence Through AI

Microsoft Research - Wed, 05/27/2026 - 18:00
At a glance
  • Modern AI systems are powerful not because they replicate human intelligence, but because they presuppose it, by extending structures already present in human cognition and language.
  • This perspective helps explain both AI’s remarkable capabilities and its recurring boundaries, including hallucinations and breakdowns in reasoning.
  • This research argues that AI safety is a system-level challenge, shifting attention from “rogue AI” narratives toward harnessing engineering and governance.
  • Understanding AI as an extension of human intelligence—not a replacement for it—offers a more grounded path for building trustworthy AI systems.

AI systems today can write essays, generate code, summarize complex ideas, and carry on conversations with remarkable fluency. Yet those same systems still struggle with tasks humans find intuitive: reliably tracking objects through change, reasoning compositionally in unfamiliar situations, or distinguishing truth from plausible fiction. These contradictions have fueled polarized debates about AI. Some see current systems as early forms of human-like intelligence; others dismiss them as sophisticated autocomplete. 

In recent interdisciplinary work – including Adam Frank, Marcelo Gleiser, and Evan Thompson’s The Blind Spot (opens in new tab) and DeepMind researcher Alexander Lerchner’s The Abstraction Fallacy (opens in new tab) – a different picture is emerging. Rather than asking whether AI systems are becoming intelligent in the human sense, these approaches ask a more basic question: What if AI systems work because they rely on structures that are rooted in human cognition? This shift in perspective, which draws on the phenomenology of Edmund Husserl, helps make sense of both the capabilities and the limits of modern AI. 

In our recent paper, The Origins of Artificial Intelligence in Natural Intelligence, we argue that modern AI systems are best understood neither as human minds nor as trivial statistical tricks. Instead, they extend structures that originate in human cognition itself. Further drawing on the phenomenology of Husserl, the paper proposes that language already contains sedimented structures of human understanding —structures that AI systems learn to model and extend. This perspective helps explain both the capabilities and the boundaries of contemporary AI.  

Human perception is not simply passive reception of sensory data. We experience the world as stable things unfolding through change: a cup remains the same cup as we move around it; a melody remains recognizable even as individual notes pass away. Language emerges by expressing these stable structures in conceptual form. Words like “red,” “round,” or “larger than” articulate relationships that originate in lived experience. 

Large language models learn statistical relationships within this linguistic world. They capture how concepts tend to relate across enormous bodies of human writing. This explains why AI systems can produce coherent responses across many domains. But it also explains why they hallucinate. Humans remain answerable to the world: experience continually corrects our expectations and beliefs. AI systems, by contrast, extend patterns within text itself. They can continue a line of reasoning with remarkable fluency, but they lack the lived engagement with the world that anchors meaning and truth.

AI Extends Human Cognition 

This framework helps explain several recurring challenges in AI research. One is the “compositionality gap”—the tendency for language models to perform well on familiar reasoning patterns while failing when asked to combine concepts in genuinely novel ways. Research increasingly shows that larger models improve fluency and factual recall much faster than they improve true compositional reasoning. From our perspective, this is not simply an engineering limitation but a structural boundary: AI systems can extend patterns already sedimented in language, but they do not possess the world-directed understanding that allows humans to generate genuinely new conceptual relations. 

A similar pattern appears in multimodal systems that combine language and vision. These systems can often label images correctly while still failing at robust reasoning about objects and their parts. They learn correlations between visual patterns and language rather than perceiving stable objects unfolding through time in the way humans do. The result is systems that can appear impressively fluent while remaining surprisingly brittle outside familiar patterns. 

This perspective also reframes debates about AI safety. Public discussion often swings between fears of “rogue superintelligence” and claims that AI poses little meaningful risk. Our research suggests that both extremes misunderstand the nature of current systems. The most immediate risks arise not because AI possesses human-like intentions, but because it can extend patterns of reasoning without reflective responsibility to the world. Systems can generate persuasive but ungrounded outputs, automate flawed decisions at scale, or execute harmful actions if embedded in poorly governed environments.

This helps explain why AI safety is increasingly shifting from model safety to system safety. In practice, organizations already rely on layered safeguards—what the industry increasingly calls “harnesses”—to constrain, validate, and monitor AI behavior. Rather than temporary patches, our paper argues that these mechanisms reflect something fundamental about AI architecture itself: trustworthy behavior emerges from the work of builders of AI systems responsible for their behavior, a responsibility that cannot be delegated to or shared with models.

This interpretation aligns closely with how enterprises increasingly approach trustworthy AI deployment. Organizations need systems that can extend human intelligence while remaining governable, auditable, and aligned with human oversight. Understanding AI as a derived form of intelligence clarifies why layered governance, evaluation, and operational controls matter so deeply.

Azure AI Foundry Labs

Get a glimpse of potential future directions for AI, with these experimental technologies from Microsoft Research.

Azure AI Foundry Opens in a new tab

Looking ahead, we believe phenomenology offers more than a critique of AI—it offers a framework for understanding its promise. AI systems reveal something profound about human cognition itself: that meaning can be formalized, extended, and scaled in powerful new ways.  The central societal risk of AI thus turns out to be kicking away the ladder of its origins in human experience and cognition – misinterpreting AI as a rival intelligence that diminishes our humanity and thus, in turn, diminishes the true promise of AI itself. 

The question, then, is not whether AI will replace human intelligence. It is how we can responsibly build systems that extend human understanding while remaining grounded in the world from which that understanding arises. If we mistake AI systems for autonomous minds, we risk over-trusting them. If we dismiss them as trivial tricks, we risk overlooking one of the most important technological developments of our time. A more grounded interpretation recognizes both truths at once: AI is a genuine extension of human intelligence—and precisely because of that, humans remain responsible for how it is understood, governed, and used.

Opens in a new tab

The post Extending Human Intelligence Through AI appeared first on Microsoft Research.

Categories: Microsoft

Extending Human Intelligence Through AI

Microsoft Research - Wed, 05/27/2026 - 18:00
At a glance
  • Modern AI systems are powerful not because they replicate human intelligence, but because they presuppose it, by extending structures already present in human cognition and language.
  • This perspective helps explain both AI’s remarkable capabilities and its recurring boundaries, including hallucinations and breakdowns in reasoning.
  • This research argues that AI safety is a system-level challenge, shifting attention from “rogue AI” narratives toward harnessing engineering and governance.
  • Understanding AI as an extension of human intelligence—not a replacement for it—offers a more grounded path for building trustworthy AI systems.

AI systems today can write essays, generate code, summarize complex ideas, and carry on conversations with remarkable fluency. Yet those same systems still struggle with tasks humans find intuitive: reliably tracking objects through change, reasoning compositionally in unfamiliar situations, or distinguishing truth from plausible fiction. These contradictions have fueled polarized debates about AI. Some see current systems as early forms of human-like intelligence; others dismiss them as sophisticated autocomplete. 

In recent interdisciplinary work – including Adam Frank, Marcelo Gleiser, and Evan Thompson’s The Blind Spot (opens in new tab) and DeepMind researcher Alexander Lerchner’s The Abstraction Fallacy (opens in new tab) – a different picture is emerging. Rather than asking whether AI systems are becoming intelligent in the human sense, these approaches ask a more basic question: What if AI systems work because they rely on structures that are rooted in human cognition? This shift in perspective, which draws on the phenomenology of Edmund Husserl, helps make sense of both the capabilities and the limits of modern AI. 

In our recent paper, The Origins of Artificial Intelligence in Natural Intelligence, we argue that modern AI systems are best understood neither as human minds nor as trivial statistical tricks. Instead, they extend structures that originate in human cognition itself. Further drawing on the phenomenology of Husserl, the paper proposes that language already contains sedimented structures of human understanding —structures that AI systems learn to model and extend. This perspective helps explain both the capabilities and the boundaries of contemporary AI.  

Human perception is not simply passive reception of sensory data. We experience the world as stable things unfolding through change: a cup remains the same cup as we move around it; a melody remains recognizable even as individual notes pass away. Language emerges by expressing these stable structures in conceptual form. Words like “red,” “round,” or “larger than” articulate relationships that originate in lived experience. 

Large language models learn statistical relationships within this linguistic world. They capture how concepts tend to relate across enormous bodies of human writing. This explains why AI systems can produce coherent responses across many domains. But it also explains why they hallucinate. Humans remain answerable to the world: experience continually corrects our expectations and beliefs. AI systems, by contrast, extend patterns within text itself. They can continue a line of reasoning with remarkable fluency, but they lack the lived engagement with the world that anchors meaning and truth.

AI Extends Human Cognition 

This framework helps explain several recurring challenges in AI research. One is the “compositionality gap”—the tendency for language models to perform well on familiar reasoning patterns while failing when asked to combine concepts in genuinely novel ways. Research increasingly shows that larger models improve fluency and factual recall much faster than they improve true compositional reasoning. From our perspective, this is not simply an engineering limitation but a structural boundary: AI systems can extend patterns already sedimented in language, but they do not possess the world-directed understanding that allows humans to generate genuinely new conceptual relations. 

A similar pattern appears in multimodal systems that combine language and vision. These systems can often label images correctly while still failing at robust reasoning about objects and their parts. They learn correlations between visual patterns and language rather than perceiving stable objects unfolding through time in the way humans do. The result is systems that can appear impressively fluent while remaining surprisingly brittle outside familiar patterns. 

This perspective also reframes debates about AI safety. Public discussion often swings between fears of “rogue superintelligence” and claims that AI poses little meaningful risk. Our research suggests that both extremes misunderstand the nature of current systems. The most immediate risks arise not because AI possesses human-like intentions, but because it can extend patterns of reasoning without reflective responsibility to the world. Systems can generate persuasive but ungrounded outputs, automate flawed decisions at scale, or execute harmful actions if embedded in poorly governed environments.

This helps explain why AI safety is increasingly shifting from model safety to system safety. In practice, organizations already rely on layered safeguards—what the industry increasingly calls “harnesses”—to constrain, validate, and monitor AI behavior. Rather than temporary patches, our paper argues that these mechanisms reflect something fundamental about AI architecture itself: trustworthy behavior emerges from the work of builders of AI systems responsible for their behavior, a responsibility that cannot be delegated to or shared with models.

This interpretation aligns closely with how enterprises increasingly approach trustworthy AI deployment. Organizations need systems that can extend human intelligence while remaining governable, auditable, and aligned with human oversight. Understanding AI as a derived form of intelligence clarifies why layered governance, evaluation, and operational controls matter so deeply.

PODCAST SERIES

The AI Revolution in Medicine, Revisited

Join Microsoft’s Peter Lee on a journey to discover how AI is impacting healthcare and what it means for the future of medicine.

Listen now Opens in a new tab

Looking ahead, we believe phenomenology offers more than a critique of AI—it offers a framework for understanding its promise. AI systems reveal something profound about human cognition itself: that meaning can be formalized, extended, and scaled in powerful new ways.  The central societal risk of AI thus turns out to be kicking away the ladder of its origins in human experience and cognition – misinterpreting AI as a rival intelligence that diminishes our humanity and thus, in turn, diminishes the true promise of AI itself. 

The question, then, is not whether AI will replace human intelligence. It is how we can responsibly build systems that extend human understanding while remaining grounded in the world from which that understanding arises. If we mistake AI systems for autonomous minds, we risk over-trusting them. If we dismiss them as trivial tricks, we risk overlooking one of the most important technological developments of our time. A more grounded interpretation recognizes both truths at once: AI is a genuine extension of human intelligence—and precisely because of that, humans remain responsible for how it is understood, governed, and used.

Opens in a new tab

The post Extending Human Intelligence Through AI appeared first on Microsoft Research.

Categories: Microsoft

MagenticLite, MagenticBrain, Fara1.5: An agentic experience optimized for small models

Microsoft Research - Thu, 05/21/2026 - 19:00
At a glance
  • MagenticLite is an agentic application that works across both the browser and local file system in a single workflow. Built as the next generation of Magentic-UI, it combines a redesigned app with a harness optimized for small models.
  • MagenticBrain and Fara1.5 are small models designed for orchestration and computer-use tasks, respectively. Fara1.5 is the next iteration of Fara and delivers measurable gains on real-world browser tasks.
  • Together, these releases explore how far agentic performance can be pushed with smaller models, codesigned tools, and an optimized execution harness.

Today, Microsoft Research AI Frontiers releases MagenticLite (opens in new tab), an experimental agentic application designed for small models. As the next generation of Magentic-UI, it works across the browser and local file system in a single workflow.

MagenticLite is powered by two purpose-built models: MagenticBrain, for reasoning, delegation, and terminal use, and Fara1.5, a computer-use model family for browser-based tasks. The three components were designed to work together as a single system. The result is an agent that runs efficiently, keeps data on the user’s machine, and supports a broad range of agentic tasks. It also points toward a broader goal: capable agents that can run directly on users’ hardware.

The project is built around a key research bet: that agentic capability depends on tool orchestration and action rather than knowledge alone. That insight makes it possible to use smaller models while still enabling a broad range of agentic tasks at a fraction of the cost.

MagenticLite also reflects how we approach agentic AI end-to-end—from training data and model design to orchestration, interaction design, and human oversight throughout the experience.

Figure 1. One experience, three components: MagenticLite, MagenticBrain, and Fara1.5. Included in this release

MagenticLite (opens in new tab)

The next generation of Magentic-UI, our experimental agentic experience, is powered by an agent harness rebuilt for small models, with an updated user interface informed by community feedback. It works across users’ browsers and local file systems in a single workflow.

MagenticBrain (opens in new tab)

MagenticBrain is MagenticLite’s planner, coder, and delegator in one. It turns vague requests into concrete plans, selects the right tool or subagent for each step, writes code when needed, and recovers should something break mid-task. 

Fara1.5

The next generation of our computer-use model family, Fara1.5 comes  in three sizes, with a flagship 9-billion-parameter model for most use cases. Fara1.5 sets new state-of-the-art (SOTA) results among small computer-use models and nearly doubles Fara-7B’s performance on web navigation, with sharper handling of forms, credentialed sites, and long-running tasks.

Each component is useful on its own, but they work best together. Codesigning the app, models, and the harness enables capable and reliable agentic performance at this scale.

Our research approach: Doing more with less

We started with a simple question: what does it take to make a small model genuinely good at agentic tasks? The answer spanned the full lifecycle—data generation, training objectives, model design, and orchestration had to be redesigned together rather than in isolation.

We identified requirements from real-world use cases like filling out forms, conducting browser research, and managing files locally, and built an evaluation dataset around them. Standard benchmarks capture part of the picture, but they are not always a direct measure of real-world usefulness. Scenario-based evaluations complemented those benchmarks and became a key signal for iterative improvement across both the models and the harness, as shown in Figure 2.

Figure 2. An iterative process for building agentic systems involves defining success criteria, evaluating performance, and refining the models or system design (or both). Then repeat.

For the user experience, we retained key elements from Magentic-UI, including visibility into the agent’s reasoning and actions, the ability for users to take direct control, and explicit approval at critical points. Based on recent user studies, we also made MagenticLite easier to learn and collaborate with through updated browser and chat views, designed to make it easier for users to understand the agent’s actions and intervene when needed. This is illustrated in Figure 3.

Figure 3. MagenticLite’s interface includes updated browser and chat views designed to make it easier to understand agent actions and intervene when needed. Azure AI Foundry Labs

Get a glimpse of potential future directions for AI, with these experimental technologies from Microsoft Research.

Azure AI Foundry Opens in a new tab System components Fara1.5: A computer-use model that outperforms its weight class

Fara1.5 is the next generation of our computer-use model family, which is available in three sizes, with a flagship 9B model recommended for most use cases. Fara1.5 achieves new SOTA performance among small computer-use models and nearly doubles Fara-7B’s performance on web navigation, with better handling of forms, credentialed sites, and long-running tasks.

Last November, we released Fara-7B, a small agentic model built for completing tasks in a web browser. It was trained using a novel synthetic data generation engine that enabled best-in-class performance. Fara1.5 is the next step in that bet: a family of three models (4B, 9B, 27B) based on Qwen 3.5, designed to close the gaps we saw in the prior release.

What’s new

State-of-the-art results. On the popular Online-Mind2Web benchmark, which contains 300 tasks across widely used web domains, Fara1.5 sets new SOTA results for models in its size class. Fara1.5 outperforms all similarly sized models and nearly doubles the performance of Fara-7B. The larger Fara1.5-27B variant achieves more than 90% performance on the same benchmark.

Figure 4. On the OnlineMind2Web benchmark, Fara‑1.5-9B achieves state-of-the-art performance among models in its size class and substantially outperforms prior models. 

Improved user experience. In addition to improvements on benchmarks, we improved the user experience of Fara1.5. Users should observe stronger performance on everyday tasks like filling out forms, handling logins for credentialed sites, and booking appointments. These improvements are driven by the next evolution of our FaraGen data generation pipeline. Alongside training on live websites, we also trained the model on highly realistic synthetic environments designed to simulate scenarios like logins and irreversible actions.

A native action space tuned for long-running tasks. Beyond clicks and keyboard actions, Fara1.5 has built-in tools to store key information in its context across hundreds of steps and ask the user for permission or preferences when needed, helping it stay coherent on tasks that span many minutes of real work.

Recalibrated critical points. Fara-7B was trained to detect critical points for activities like transactions, login flows, or irreversible submissions and flag them. In Fara1.5, we refined our design around critical points based on our learnings from real use, so safety triggers still occur when they should but do not block useful tasks, such as form-filling.

Figure 5. Fara1.5 pauses and requests user intervention when it detects a critical point, in this case during a sign-in to a LinkedIn account using email credentials.  MagenticBrain: The orchestrator model

MagenticBrain is a 14B-parameter orchestration model—planner, coder, and delegator in one. Fine-tuned from Qwen 3 14B, MagenticBrain was trained end-to-end within the MagenticLite harness with the same tool schemas and execution environment it will encounter at inference time. As a result, there is no gap between how it learned to orchestrate and how it runs.

In many agentic systems, orchestration (planning and coordination) is the most reasoning-intensive component, so teams have historically relied on their most capable models for this role. Our bet is that small models can handle this role without sacrificing capability. Two design choices make that possible.

The first involves combining multistep tool-calling trajectories—where the model learns to pick the right tool and call it correctly—with coding and terminal trajectories—where the right answer is sometimes five lines of Python, not a tool call. This is paired with tight coupling between the tool format used during training and inference.

The second is computer-use agent (CUA) delegation. A key part of the orchestrator’s job is knowing when not to act itself and instead handing off a task to Fara1.5. Our data pipeline includes explicit delegation trajectories: sequences where the orchestrator recognizes a browser or user interface (UI) task, issues a structured handoff to the CUA model, waits for the result, and resumes the task. The result is an orchestrator model that reasons, codes, calls tools, and delegates fluidly within a single 14B footprint. We are releasing MagenticBrain which is designed for use with MagenticLite. 

Figure 6. MagenticBrain is a small orchestration model that can break down a natural-language request into smaller steps, select the right tools, write code when needed, and delegate browser tasks to Fara1.5. The Harness: Built for small models

The harness combines the orchestrator and browser-use models into a single workflow. Three design choices matter most:

  • Step-by-step planning. The harness plans incrementally, keeping the system flexible and enabling smoother course correction and recovery throughout long-running tasks.
  • Active context management. Small models have smaller effective context windows and degrade faster as context grows. The harness actively curates what each model receives at each step, keeping prompts focused, surfacing only the necessary information, condensing earlier interactions into concise summaries, and offloading the rest, so the orchestrator and Fara1.5 remain effective across long tasks.
  • Delegation through subagents. Rather than relying on a single small model for every task, the orchestrator acts as the main agent and delegates specialized work to subagents. This means handing off browser tasks to Fara1.5. This pattern plays to the strengths of small language models by allowing each model to handle a narrower, more specialized part of the problem. It also lays the foundation for future expansion: later versions could introduce additional subagents and run them in parallel for richer, more efficient workflows.

The harness preserves the human-in-the-loop guarantees from Magentic-UI 1.0. Critical points across both browser and code actions still pause for explicit user approval, and the entire system runs inside Quicksand (opens in new tab), an open-source wrapper created for a QEMU-based sandbox, which isolates browser sessions and code execution from the host system.

Figure 7. Overview of the MagenticLite architecture. The system uses a layered architecture spanning the front end, harness, models, and sandboxed execution environment. See it in action

MagenticLite can perform a wide range of tasks across the browser and local file system, such as filling out forms, making appointments, organizing local files, and searching for and analyzing information.

MagenticLite | Fill expense forms demo MagenticLite | Find and book a restaurant demo MagenticLite | Find prices for recipe ingredients demo MagenticLite | Organize local files demo Try it, and build with us

MagenticLite, MagenticBrain, and Fara1.5 are research releases intended to support continued exploration and development. We are releasing them to encourage experimentation, evaluation, and feedback from the broader community.

Contributors Opens in a new tab

The post MagenticLite, MagenticBrain, Fara1.5: An agentic experience optimized for small models appeared first on Microsoft Research.

Categories: Microsoft

Vega: Zero-knowledge proofs for digital identity in the age of AI

Microsoft Research - Thu, 05/21/2026 - 15:48
At a glance
  • Vega lets users prove facts from government-issued credentials — age, personhood, professional status — without revealing the credential itself. The credential never leaves the device. 
  • Zero-knowledge proofs are generated in under 100 ms on a commodity client device with no trusted setup, making private identity verification practical at scale. 
  • Fold-and-reuse proving means repeated presentations — to different services or through AI agents — skip most of the expensive work after the first proof. 
  • Vega targets real-world formats like mobile driver’s licenses and the EU Digital Identity Wallet, is built in Rust, and will be open sourced soon.

AI is transforming how people interact with digital services, from AI-powered assistants to autonomous agents that act on a user’s behalf. As these capabilities grow, so does the value of strong digital identity: users need reliable ways to establish trust, whether proving they are human or sharing a credential with an AI-mediated service. Government-issued credentials are still the strongest foundation for trust, but today’s verification methods often require people to hand them over. As AI agents begin acting on behalf of humans and interacting with decentralized systems, the need for fast, privacy-preserving ways to prove credentials will only grow.

These needs are already materializing in policy. Governments are moving quickly to formalize digital identity. The EU Digital Identity (EUDI) framework aims to make digital wallets available to all EU citizens, and efforts like the EU’s age-verification blueprint and the UK’s Online Safety Act mandate government ID-based methods for age checks. Application providers face a double bind: they must either use less accurate approaches like AI-based age estimation, or compromise user privacy by requiring ID uploads.

The credential gets uploaded, processed, sometimes stored, and eventually (hopefully) deleted. But high-profile breaches have repeatedly exposed government IDs that users shared for routine verification. These are not edge cases. They are the predictable consequence of a system that asks users to share their most sensitive documents to prove a single bit of information.

This is the question we set out to answer with Vega: Can we make it practical to prove something about a credential without ever revealing the credential itself?

The path to Vega: From idea to practice

Zero-knowledge proofs (ZKPs) are the cryptographic tool that makes this possible. The idea is simple: they allow a user to prove a claim, such as “I am over 21”, without revealing anything else. In practice, this means a user could prove their age from their driver’s license without the verifier ever seeing the license, whether to a website, an app, or a service mediated by an AI agent.  The proof works directly on the credential as issued, so the issuer does not need to change anything.

This is not a new idea. The challenge has always been practicality. Prior systems either require a trusted setup that had to be repeated whenever the logic changed, or they sacrificed performance to avoid the trusted setup, often producing large proofs in the process. For real-world use, the proof needs to be fast to generate, small enough to transmit quickly, and efficient enough to run on a mobile device.

We have spent several years working toward a practical solution. Privacy-preserving identity has been a motivating application (opens in new tab) throughout, and Vega’s proof system draws on several building blocks from that line of work:

  • Spartan (opens in new tab) showed how to efficiently prove R1CS, a standard way to express statements for a general-purpose proof system, with succinct proofs and without a trusted setup.
  • Nova (opens in new tab) introduced folding schemes, which let a prover compress many instances of a computation into one. 
  • HyperNova (opens in new tab) showed that Nova’s folding also provides a key building block for zero-knowledge: folding a real instance with a random instance hides the underlying secret data, a technique dubbed “NovaBlindFold.”
  • NeutronNova (opens in new tab) provided the most efficient folding scheme for handling a batch of instances at once.

Vega puts these building blocks together into a single proof system. A key design goal is simplicity. Spartan, Nova, and NeutronNova are composed in a direct way, and the circuit is built from a small number of standard components, with no exotic multi-field constructions and no trusted setup. On top of this simple foundation, Vega adds the ability to reuse work across multiple proofs of the same credential and a new way to achieve zero-knowledge with minimal overhead. The result is a system that is easy to audit, extend to new credential formats, and deploy.

Performance

Vega generates a zero-knowledge proof of age from a typical mobile driver’s license, about 2 kilobytes (KB), in 92 miliseconds (ms) on a commodity client device. The resulting proof is 108 KB and can be verified in 23 ms. No trusted setup is required. The prover key is 464 KB; it fits comfortably on any phone. For smaller credentials, proving drops to 62 ms, with 83 KB proofs, and 17 ms verification. In practice, a user taps a button to present a credential, and 92 ms later the proof is done. The service learns only the requested fact; the credential never leaves the phone.

PODCAST SERIES

The AI Revolution in Medicine, Revisited

Join Microsoft’s Peter Lee on a journey to discover how AI is impacting healthcare and what it means for the future of medicine.

Listen now Opens in a new tab Under the hood: Fold, reuse, and lookup

Vega’s speed comes from two ideas: fold-and-reuse proving and lookup-centric circuit design. The figure below shows the proving pipeline end to end.

Vega’s proving pipeline. Work is split into two phases. The once-per-credential phase splits the credential into step and core circuits and commits reusable data. The once-per-presentation phase re-randomizes cached commitments for unlinkability, folds all SHA-256 step instances into one via NeutronNova, proves the folded step and core circuits with Spartan, and applies zero-knowledge via NovaBlindFold. The final output is a 108 kB proof generated in 92 ms and can be verified in 23 ms.  The hashing problem, and how folding solves it

A credential proof must do two expensive things: hash the credential bytes with SHA-256 and verify the issuer’s digital signature. Signature verification would normally be the bottleneck, but Vega avoids that cost by working in a field where the signature arithmetic is native. As a result, hashing becomes the dominant cost. SHA-256 works by applying the same compression function to one 64-byte block at a time. A straightforward circuit simply unrolls all of these iterations, so its size grows with the length of the credential. For a typical mobile driver’s license, that is 30 blocks of compression, all captured in a single circuit.

We take a different approach. Instead of unrolling the entire hash, we define one small “step” circuit that proves a single SHA-256 compression step, and we instantiate it once per block. Because these step instances are structurally identical, we can use NeutronNova’s folding scheme to collapse them into a single instance. The prover does work to fold the 30 step instances into one, but this folding cost is modest. Spartan then only needs to prove a single step-sized circuit alongside a separate “core” circuit that handles the rest of the checks, including signature verification and age predicates, rather than a monolithic circuit with 30 unrolled blocks. The proving key only needs to describe one step and one core, so it stays small regardless of credential length.

There is a subtle privacy issue here to address. Credentials vary in length, and if the circuit size varied with the credential, that would leak information. To prevent this, all step circuits share a committed table of intermediate digests. The core circuit selects the appropriate digest using a private index. If the prover selects the wrong entry, the issuer’s signature check fails.

Making it zero-knowledge, cheaply

A proof system needs to be zero-knowledge: the verifier should learn nothing beyond the claim being proved. Existing approaches to achieve this are often complex to engineer and can add significant overhead to the prover. We found a simpler way.

A standard first step is to commit to every message the prover sends using hiding cryptographic commitments, so the verifier sees commitments rather than values. The harder question is to prove that those hidden values would have passed the verifier’s checks. We express those checks as a small constraint system, just a few hundred constraints, since the verifier only performs a logarithmic number of operations. We then fold this constraint system with a random instance via Nova’s folding scheme. This step hides the underlying data, so the zero-knowledge overhead scales with this small constraint system, not the full secret data.

Proving once, presenting many times

A user who presents their credential to one website will likely present it again to another, and another. In a world where AI agents handle many of these interactions on a user’s behalf, the same credential may need to be presented dozens of times a day. The credential itself does not change between these presentations. What changes is the session nonce, a fresh random value from the verifier, and possibly the date or the predicate threshold.

Vega takes advantage of this structure by splitting the prover’s secret data into three parts. The shared data (SHA-256 tables) and the precommitted part, such as the issuer signature and field locations are computed and committed once when the credential is first loaded. The online part, such as the device signature and today’s date, is committed fresh each time. Before each proof, the precomputed commitments are refreshed with new randomness, which is cheaper than recomputing them and ensures that two proofs about the same credential cannot be linked.

Avoiding the parser

Another important part of Vega’s efficiency comes from how it handles the credential format. A mobile driver’s license is encoded in Concise Binary Object Representation (CBOR), and building a full CBOR parser as a circuit would be both complex and expensive. But we realized we do not actually need a parser. The credential bytes are signed by a trusted issuer, so we know they are well-formed. We only need to reach in and grab specific fields.

We treat the credential as a byte-addressable lookup table. The prover says, “the device public key starts at byte 847” and supplies the bytes. The circuit checks three things: that the bytes actually match the authenticated credential, that the right CBOR prefix appears at the start of the field so the prover cannot claim the wrong field, and that the addresses are contiguous so the prover cannot splice bytes from unrelated locations. This replaces an entire parser with a handful of lookups.

The same lookup idea powers length-hiding hashing, as described above: the circuit builds a table of all intermediate SHA-256 digests and picks the correct one at the point where the real message ends.

Device binding

A zero-knowledge credential proof is only useful if it is tied to the person holding the credential. Without device binding, someone who obtains a leaked credential could generate valid proofs for any session. This matters even more in a world of AI agents: if an agent can present a proof on behalf of a user, we need cryptographic assurance that the proof originated from the user’s device, not from an attacker or an unauthorized agent.

Vega addresses this by requiring the holder’s device to sign a fresh session nonce with the device private key, which is bound to the phone’s secure element. The circuit extracts the device public key from the credential via lookup and verifies the device signature over the session nonce hash. Because the device private key never leaves the secure hardware, possession of the signed credential alone is not sufficient to produce a valid proof.

Where this leads

Vega is implemented in Rust and will be open sourced soon. The proof system powering Vega is already available as the open-source spartan2 (opens in new tab) project on GitHub. The paper, joint work with Darya Kaviani, will be presented at the upcoming IEEE Symposium on Security and Privacy in San Francisco. 

While we focused on mobile driver’s licenses as a concrete and timely application, especially given emerging frameworks like the EU Digital Identity wallet, the proof system and circuit techniques are general. They apply to any credential format with a stable byte encoding and a digital signature.

We see several directions where the same primitive becomes increasingly important.

Agents carrying identity on behalf of humans. As autonomous AI agents begin acting on behalf of people, whether booking travel, interacting with services, or entering agreements, those agents will need to prove facts about the human they represent. For example, “my principal is over 18” or “my principal is a licensed physician.” The agent should be able to carry these proofs without ever holding the underlying credential. A zero-knowledge proof generated on the human’s device, bound to the agent’s session via device binding, lets the agent present identity signals without holding secrets.

Bridging off-chain identity to on-chain systems. Decentralized systems increasingly need real-world identity signals, such as KYC compliance, accredited investor status, and jurisdiction checks. Today, this is handled by uploading documents to a centralized intermediary, who then issues an on-chain attestation. The user loses privacy twice: once to the intermediary, and again on chain, where the attestation may be linkable across interactions. A ZKP over an off-chain credential could bridge this directly: the user proves a fact from their government-issued credential, and the on-chain verifier receives only the proof. No intermediary sees the credential, and rerandomization ensures repeated proofs are unlinkable.

As digital identity mandates expand and AI reshapes how humans and agents establish trust, the need for privacy-preserving credential verification will only grow. We see Vega as one step in a broader shift: from a world where proving a fact about yourself requires giving up your identity, to one where cryptography lets you keep it.

Opens in a new tab

The post Vega: Zero-knowledge proofs for digital identity in the age of AI appeared first on Microsoft Research.

Categories: Microsoft

Further Notes on Our Recent Research on AI Delegation and Long-Horizon Reliability

Microsoft Research - Fri, 05/15/2026 - 20:06

Our recent paper, “LLMs Corrupt Your Documents When You Delegate”, has generated discussion about the reliability of AI systems in delegated workflows. We appreciate the interest in this work and want to clarify several important points about what the paper does—and does not—claim.

The research aims to develop robust evaluation methods for long-horizon delegated and collaborative tasks. More broadly, this work reflects an ongoing effort to better understand the gap between strong benchmark performance and certain real-world tasks. Using a controlled evaluation methodology, we examine how well information is preserved across these extended workflows. Within this constrained setting, we observe that models can accumulate fidelity degradation over repeated edits. Note however, that current production systems can mitigate these effects through verification loops, orchestration, and domain-specific tooling.

Our goal is not to argue against the use of AI systems in professional workflows, but rather to identify where current systems need further research and engineering to help make them more trustworthy collaborators. This benchmark is intended as a diagnostic tool for examining delegation patterns, not a measure of overall model capability, task success, or user outcomes.

Main results

The paper evaluates a specific interaction pattern we call delegated work—situations where a user entrusts an AI system to carry out multi-step modifications to important artifacts such as documents, spreadsheets, code, or structured files with limited human verification between steps.

We use chained transformation-and-inversion tasks that evaluate whether semantic content is preserved accurately across extended delegated workflows. Our evaluation uses domain-specific semantic parsing to focus on meaningful changes to the underlying artifact rather than superficial formatting or stylistic differences. The errors we report thus correspond to degradation in the underlying semantic content but, our measure of “corruption” did not include task completion or user satisfaction.

Using this methodology, we find that current frontier models can introduce sparse but consequential errors during long-horizon workflows, and that these errors may accumulate over repeated interactions. Across the evaluated settings, strong state-of-the-art models showed roughly a 19–34% degradation in artifact fidelity over 20 delegated iterations. Notably, Python workflows generally exhibited stronger robustness under extended delegated interactions, with less than 1% degradation on average.

Spotlight: Event Series

Microsoft Research Forum

Join us for a continuous exchange of ideas about research in the era of general AI. Watch the latest episodes on demand.

Watch on-demand Opens in a new tab Methodological limitations

DELEGATE-52 was intentionally designed as a stress test for long-horizon delegated execution. The benchmark evaluates whether systems preserve artifact integrity across extended sequences of transformations and inversions.

The study focuses specifically on delegated execution with limited human intervention between steps. It does not attempt to measure the full range of real-world AI deployments, many of which involve substantially more oversight, verification, and workflow structure.

The paper also evaluated a simplified agentic harness with tool use capabilities such as Python execution and file operations. While this setup did not eliminate the observed degradation, it should not be interpreted as representative of production-grade systems optimized for specific workflows or enterprise domains.

Implications

We believe the primary implication of this work is that reliable long-horizon delegation remains an important open research and engineering challenge.

The results suggest that strong short-horizon benchmark performance alone may not guarantee dependable delegated execution over extended workflows. At the same time, the findings should not be interpreted as evidence that AI systems lack practical value in real-world work today.

In practice, many deployed AI systems combine models with specialized harnesses, orchestration layers, retrieval systems, verification procedures, memory mechanisms, and human oversight designed to improve reliability and deliver useful user outcomes despite underlying model limitations. We expect continued improvements in models, workflow-aware training, memory systems, and production-grade agentic harnesses to further reduce these failure modes over time.

Opens in a new tab

The post Further Notes on Our Recent Research on AI Delegation and Long-Horizon Reliability appeared first on Microsoft Research.

Categories: Microsoft

mimalloc: A new, high-performance, scalable memory allocator for the modern era

Microsoft Research - Wed, 05/13/2026 - 19:19
At a glance
  • Today’s critical services and applications are often highly concurrent, using hundreds of threads. They also operate at large memory scales, frequently hundreds of gigabytes, especially when using large language models.
  • mimalloc is an open-source, modern, scalable memory allocator that is a drop-in replacement for malloc and free. It is relatively small (~12K lines), with clear internal data structures, and is easy to build and integrate into other projects. It provides bounded worst-case allocation times (up to OS primitives), bounded space overhead, low internal fragmentation, and minimal contention by relying almost exclusively on atomic operations.
  • mimalloc is available on GitHub (opens in new tab) and has over 12K stars.
mimalloc

At the RiSE group at Microsoft Research (MSR), we conduct fundamental research into formal methods, programming languages, and software engineering (including emerging agentic systems), with a particular focus on systems that can be provably correct, secure, and performant. The mimalloc memory allocator was initially designed in 2020 as a fast allocator for the state-of-the-art Lean (opens in new tab) and Koka (opens in new tab) programming languages developed at RiSE, both of which use novel compiler-guided reference counting (see Perceus).

The scalable design of mimalloc has also proved to work exceedingly well for large services at Microsoft. Through close cooperation with product teams, mimalloc has significantly improved the response times in services such as Bing. Today, mimalloc is widely used in large services and applications, both within and outside Microsoft. It serves as the allocator for NoGIL CPython 3.13+, is integrated into Unreal Engine, and is used in games such as Death Stranding. The project is open source on GitHub, with over 12K stars its Rust wrapper alone sees over 100K downloads per day.

mimalloc is effective across a wide range of scenarios; from small-scale applications like Koka or Lean, to large services with memory footprints exceeding 500 GiB and hundreds of threads.

Despite this range, the codebase is still compact, at around 12K lines of C. Reflecting its research origins, mimalloc emphasizes clear internal data structures with strong invariants, making it easier to understand and reason about than many industry allocators. As Fred Brooks already remarked in his famous book The Mythical Man-Month: “Show me your flowchart and conceal your tables, and I shall continue to be mystified. Show me your tables, and I won’t need your flowchart; it’ll be obvious.”

As a result, mimalloc has been ported to many platforms—Windows, macOS, Linux, FreeBSD, NetBSD, DragonFly, and various consoles—, and is easy to build and integrate into other projects. For example, the clear data structures enabled Sam Gross and others to adopt mimalloc as the concurrent allocator for NoGIL CPython. The design also makes it relatively straightforward to implement cyclic garbage collection on top of this.

The Fast Path

As with other scalable allocators (such as tcmalloc and jemalloc), a core design principle of mimalloc is that each thread maintains its own thread-local heap, which we call a “theap”. Each theap owns a set of mimalloc “pages,” which are usually 64 KiB. Each mimalloc page contains blocks of a fixed size, organized into size classes to reduce internal fragmentation. By giving each thread its own theap and set of mimalloc pages, memory allocation and deallocation typically proceed without synchronization. Atomic operations are only required when a thread frees a block allocated by another thread.

Moreover, in practice, most allocations are quite small, often less than 1 KiB. For such small allocations, mimalloc provides a fast path where the main allocation function looks like:

void* mi_malloc( size_t size ) { mi_theap_t* const theap = mi_get_thread_local_theap(); if (size > MI_MAX_SMALL_SIZE) return mi_malloc_generic(theap,size); // slow generic path const size_t index = (size + sizeof(void*))/sizeof(void*); // round size mi_page_t* const page = theap->small_pages[index]; mi_block_t* const block = page->free; // head of free list if (block == NULL) return mi_malloc_generic(theap,size); // slow generic path page->free = block->next; // pop free list page->used++; return block; }

By using thread-local theaps, we need no atomic operations or thread synchronization. We also try to minimize the number of branches. In particular, the thread-local theap is never NULL, and we initialize it with a special empty theap with all empty pages. This way, we do not need a separate check if the theap is NULL. Similarly, the pointers in the small_pages array are never NULL, and we use again special empty pages (with page->free==NULL) to avoid a separate check. Finally, pages are initialized with a free list rather than a separate bump pointer, avoiding special cases and enabling allocation by simply popping blocks from the free list. On x64, this code now translates into few instructions with just two uncommon branches:

mi_malloc: movq %rdi, %rsi ; rsi = size movq _mi_theap_default@GOTTPOFF(%rip), %rax movq %fs:(%rax), %rdi ; rdi = thread local theap cmpq $1024, %rsi ; size > MI_MAX_SMALL_SIZE? ja .LBB0_generic leaq 7(%rsi), %rax ; round to sizeof(void*) andq $-8, %rax movq 232(%rdi,%rax), %rcx ; rcx = heap->small_pages[index] movq 8(%rcx), %rax ; block = rax = page->free testq %rax, %rax ; block == NULL? je .LBB0_generic movq (%rax), %rdx ; page->free = block->next movq %rdx, 8(%rcx) incw 16(%rcx) ; page->used++ retq .LBB0_generic: jmp _mi_malloc_generic@PLT ; tailcall

Similarly, mimalloc provides a fast path for freeing blocks. In practice, most blocks are freed by the same thread that allocated the block. We can optimize that case by checking whether the current thread ID matches the thread ID stored in the corresponding mimalloc page. If so, we can just push our block on the page’s free list without requiring atomic operations or locks:

void mi_free(void* p) { mi_page_t* const page = mi_ptr_page(p); // get the page meta-data that contains p if (page==NULL) return; if (mi_thread_id() == page->thread_id) { // do we own this page? mi_block_t* const block = (mi_block_t*)p; block->next = page->local_free; // push on the `local_free` list page->local_free = block; if (--page->used == 0) mi_page_free(page); // is the entire page free? } else { mi_free_cross_thread(page, p); // free in a page owned by another thread } }

The mi_ptr_page function in the latest mimalloc v3 retrieves page metadata using an on-demand allocated map of the entire memory. In earlier versions this was faster using alignment tricks. However, in practice, invalid pointers are often passed to mi_free when overriding free globally.  

Using a separate map enables such cases to be detected efficiently and return NULL when the pointer is invalid. In particular, mi_ptr_page(NULL) == NULL, which avoids an extra branch by testing only if the page is NULL. Additionally, used count is used to efficiently detect when all blocks in a page have been freed. 

When a block is freed across threads, we enter the mi_free_cross_thread function—the first path that requires atomic operations: 

void mi_free_cross_thread(mi_page_t* page, mi_block_t* block) { mi_block_t* tfree = mi_atomic_load(&page->thread_free); // head of the thread free list do { block->next = tfree; // push our block in front } while (!mi_atomic_compare_and_swap(&page->thread_free, &tfree /*expect*/, block /*new*/)) }

The block can be freed by pushing it onto the thread-free list of the page. Since this is multi-threaded, it requires an atomic compare-and-swap operation to push the block atomically. Still, on modern hardware such operations are efficient when uncontended, as their operation is integrated with the cache coherence protocol (MOESI).

PODCAST SERIES

AI Testing and Evaluation: Learnings from Science and Industry

Discover how Microsoft is learning from other domains to advance evaluation and testing as a pillar of AI governance.

Listen now Opens in a new tab Free list mayhem

There are three free lists per page: the free list for allocations, the local_free list for freed blocks, and the thread_free (atomic) list for blocks that were freed across threads. This guarantees that after a fixed number of allocations, the free list is exhausted, ensuring we occasionally take the slower generic allocation path. This is also used to clean up the free lists by moving thread-local and local free lists back to the main free list. (Note: Actual implementation requires more care to handle cases where the owning thread never allocates again or is blocked for a long time).

Thus, mimalloc has three free lists per (64 KiB) mimalloc page, and effectively that means that a program can easily have thousands of free lists. This is essential to the scalability and cache locality of mimalloc.

A height-balanced tree A randomized tree

For this design, we took inspiration from randomized algorithms. For example, to balance a binary tree we can use smart strategies based on weight or depth, and perform specific rotations to keep it balanced. Such algorithms are usually quite complicated. However, we can also simplify the process and randomly decide on splits during insertion, and by sheer chance, we also end up with trees that are balanced enough.

Similarly, many multi-threaded allocators rely on sophisticated concurrent data structures to synchronize access to shared free lists. In contrast, mimalloc uses a per-page thread-free list, where any thread can push a block using a simple atomic compare-and-swap. Because there are thousands of such lists, the probability that multiple threads concurrently free blocks to the same page is low. As a result, most push operations are uncontended atomic updates. By organizing these lists per 64 KiB mimalloc page, cache locality is improved, as allocation tends to stay within the same page until it is full, regardless of freed objects in other pages.

In contrast, consider a design with a single free list per thread or process. When allocating a new structure while freeing objects of the same size—a common pattern in workloads such as tree transformations—allocation may reuse recently freed blocks scattered throughout memory, leading to reduced locality.

Sharing between threads

There is a fundamental tension between scalability and efficient memory sharing between threads. To scale optimally, we would give each thread exclusive ownership to its own pages to minimize any thread synchronization. On the other hand, that may lead to wasted memory: suppose a thread has large quantities of free blocks and another thread needs to allocate blocks of that size –without being able to share or steal those pages, we need to allocate fresh memory instead. In the other extreme, we could share all pages between all threads with a single lock: now memory use is optimal, but we no longer scale. The following benchmark results illustrate this tension:

1.1x commit, 56 Gib total 4x commit, 262 GiB total 1.3x commit, 262 GiB Total

The benchmark runs many tasks for a fixed amount of time using the Windows thread pool with about 800 active threads. The tasks alternate between allocation, deallocation, and brief blocking periods, simulating typical service workloads. In the graphs, the blue line represents the total live data, while the red line represents total committed memory by the allocator. The ideal situation is to have the red line as close as possible to the blue line. This is almost the case for the first graph, which uses the standard  system allocator: at the end there is just 1.1x more committed than live data – an excellent result! However, over the benchmark duration, it allocated a total of only 56 GiB data.

Contrast that with another highly concurrent allocator in the second graph, which was able to allocate 262 GiB over the benchmark duration—almost 4x as much. However, it also committed 4x more memory than the live data. In real workloads with larger memory footprints, such a ratio can quickly become unacceptable. Here we see that the standard allocator didn’t scale as well, but showed better cross-thread memory sharing.

The final graph shows the most recent mimalloc allocator. Like the second allocator, it allocates 262 GiB over the benchmark duration, while reducing committed memory to 1.3xthe live data, which achieves scalability and efficient memory sharing between threads. Similar to work-stealing in modern thread pool implementations, mimalloc uses a “page stealing” technique, allowing threads to take ownership of pages without expensive cross-thread synchronization.

These improvements were made in close collaboration with the Azure Cosmos DB team at Microsoft. A precise description is beyond the scope of this blog, but we will publish a technical report soon—stay tuned.

Opens in a new tab

The post mimalloc: A new, high-performance, scalable memory allocator for the modern era appeared first on Microsoft Research.

Categories: Microsoft

GridSFM: A new, small foundation model for the electric grid

Microsoft Research - Wed, 05/13/2026 - 18:00
Microsoft releases a lightweight foundation model that can predict AC optimal power flow in milliseconds, boosting efficiency and unlocking cost savings in grid analysis. At a glance
  • Microsoft introduces GridSFM, a small foundation model that approximates AC optimal power flow in milliseconds, unlocking decisions that can directly impact up to $20B/year in congestion losses and 3.4 TWh of renewable curtailment.
  • Beyond estimating generator dispatch and costs, GridSFM produces full AC system states, giving operators direct visibility into congestion, stability, and overall system health.
  • It provides a foundation for the community to build advanced power grid simulators and planning tools without recreating data or models from scratch.

Microsoft introduces GridSFM, a small foundation model for solving AC optimal power flow (AC-OPF) problems in transmission power grids. This follows our earlier release of a U.S.-based open transmission-topology dataset that powers GridSFM.

Power grids face increasing strain from surging demand, the need to integrate renewable energy sources, transportation electrification, and extreme weather events. Across all these challenges, the core question is the same: what are the optimal operating points that keep the grid functioning under each new condition?

Answering this requires solving AC optimal power flow (AC‑OPF), a complex, non-convex optimization problem that computes the cheapest generator dispatch (how much each generator produces) that meets demands while respecting power flow physics, voltage limits, thermal constraints, and stability requirements, and underpins core power system operations including reliability, real-time dispatch, market clearing, and contingency analysis. These decisions directly govern outcomes at the scale of up $20 billion per year in congestion costs (opens in new tab) and multi‑terawatt‑hour renewable curtailment (opens in new tab) (lost renewable energy due to congestion), making both economic efficiency and grid reliability highly sensitive to how well these operating points are found. However, AC‑OPF is computationally expensive: power utility scale grid can take up to hours solve, forcing a trade-off between solving a small number of carefully selected scenarios or relying on approximations that ignore critical physics, which can misestimate power flows and binding constraints and lead to suboptimal dispatch and degraded reliability under stressed conditions.

Spotlight: AI-POWERED EXPERIENCE

Microsoft research copilot experience

Discover more about research at Microsoft through our AI-powered experience

Start now Opens in a new tab

To address this limitation, we introduce GridSFM, a single neural network that approximates AC‑OPF in milliseconds across grids ranging from 500 to 80,000 buses. It takes standard AC‑OPF inputs (grid topology, generator and load specifications, transmission line constraints) and produces an operating point and a feasibility verdict (whether the system satisfies all physical and operational constraints). By removing the compute bottleneck, GridSFM makes it possible to evaluate orders of magnitude more scenarios in real time, enabling more informed decisions and shifting grid operations from reactive response to proactive optimization.

In this initial release we offer two tiers:

  • GridSFM-Open for research-scale grids up to 4,000 buses.
  • GridSFM-Premier for production-scale systems up to 80,000 buses.

The model is built as a block-structured discrete neural operator (Figure 1), representing each grid as a directed graph, with buses (connection points in the grid) and generators as vertices, and transmission and AC lines as edges. It is trained using both solver supervision, where reference solutions are generated using the AC-OPF solver (IPOPT in PowerModels.jl (opens in new tab)), and physics-based constraints that penalize violations of fundamental physical laws such as Kirchhoff’s voltage and current laws, as well as operating constraints like thermal limits. This enables the model to learn from both feasible and infeasible regimes. Most learning-based AC-OPF surrogates train one model per grid on a narrow distribution (opens in new tab). GridSFM takes the opposite approach: in this release a single model trained across 150+ base grid topologies (network structures) and roughly half a million scenarios spanning varying load profiles, multi-element outages, line-rating derates, voltage-bound tightening, and different generator cost coefficients, so the model is forced to generalize rather than memorize. Across the 54-grid mix test scenarios for GridSFM-Open, our model achieves a median cost gap of 2.23% vs solver ground truth labels (mean 3.41%; <5% gap on 83 % of scenarios). When more precision is needed, GridSFM’s prediction also serves as a warm start seed for traditional numerical solvers, GridSFM-seeded-warm beats cold solve by 1.66× geometric mean across the same test scenarios and beats the industry-standard DC-OPF warm-start by 1.59× geomean (per-grid breakdown and full white-paper analysis to follow).  Geometric mean, otherwise known as the multiplicative average, is used here since it is more robust to outliers. Our model also demonstrates the ability to adapt to new grids with just a handful of fine-tune scenarios.

Figure 1. GridSFM architecture. Bus, generator, and branch features are embedded into a shared latent space, then refined by a stack of attention blocks operating directly on the grid topology. Output heads decode the latent state into (i) a full AC-OPF operating point, bus voltages and angles, generator dispatch, branch flows, and (ii) a per-scenario feasibility score. What it enables

A common pattern in grid operations and planning is having to choose between solving a small, hand-picked set of scenarios accurately with full AC-OPF or running thousands of scenarios through a faster approximation that drops parts of the physics. For example, a commonly used tool is the DC-OPF approximation, a linearized version that assumes flat voltage magnitudes and small angle differences and ignores reactive power and losses. DC-approximation solves in seconds what takes full AC minutes to hours, which is why most contingency screens, market-clearing pre-stages, and planning sweeps run on DC-approximation today. The cost is real: DC-approximation ignores voltage and reactive constraints entirely, and its dispatch cost can run >10% off the AC optimum on stressed scenarios (with worst-case grids out past 20% in our test benchmark).

GridSFM is designed as a drop-in alternative to DC-approximation in that fast approximation slot, and unlike most existing AC-OPF neural surrogates, which require a fresh training run for every new topology, GridSFM generalizes across grids in its supported size range without per-topology retraining, so it slots in as universally as DC-approximation. Especially when compared with DC-OPF, GridSFM has three concrete advantages:

  • Same accuracy class as DC-approximation on standalone dispatch cost. GridSFM and DC fall within the same per-scenario cost-gap distribution (§2 / Figure 6), with complementary failure modes: DC fails on grids where its no-loss / no-reactive linearization is structurally wrong; GridSFM fails on grids outside its training distribution. The two limitations close along orthogonal axes. DC’s ceiling is fixed by the linearization, whereas GridSFM’s tail closes with more training data.
  • 1,000× faster than a full AC solver and approximately 100× faster than DC-approximation at the inference step, fast enough to sweep thousands of contingencies (e.g., line or generator outages) in minutes on a single commodity GPU.
  • A real AC operating point, not a linear approximation. GridSFM produces voltages and reactive power, so the same prediction can be handed to a traditional numerical solver as an AC warm-start, opening a workflow DC-approximation cannot.
1. Feasibility screening: stress-score triage

A scenario is infeasible when no dispatch satisfies all constraints simultaneously: the requested load cannot be served within voltage bounds, thermal limits or generator capacities. Operationally, infeasibility is the most consequential failure signal: the requested operating condition cannot be served at all, and the response is intervention (load shedding, redispatch, relaxing thermal limits). It is also the most expensive class of scenario to screen, because the solver only learns a scenario is infeasible after iterating to non-convergence: each infeasible case costs a full solver run, often longer than a feasible one. Sweeping thousands of contingencies or stress cases to identify the infeasible ones is therefore one of the worst-case budgets in any planning workflow.

GridSFM addresses this with a per-scenario stress score trained jointly with the dispatch head. We evaluate the score on three classes of scenarios on each grid: real-feas are scenarios the AC-OPF solver successfully converged on (i.e., genuinely feasible operating points), real-infeas are scenarios the solver failed to converge on (genuinely infeasible operating points), and synth-infeas are feasible base points we deliberately perturbed to violate a specific constraint (voltage squeeze, thermal bottleneck, angle tightening, or DC-thermal congestion). Across the 54-grid test scenarios, the stress score’s per-grid binary accuracy is broadly uniform across classes: real-feas (green) mean 94.5%, real-infeas (red) mean 96.1%, synth-infeas (orange) mean 90.4%. Most grids cluster within a few points of the means; outliers below 80% are the same hard grids that show up in cost-gap analysis below.

Figure 2. GridSM per-grid feasibility prediction accuracy across the 54-grid test scenarios, broken out by class (real-feas, real-infeas, synth_infesible). Filled KDE + per-grid dots, with mean (–) and median (:) light dashed lines. The three distributions overlap heavily, the model’s quality is broadly uniform across classes, with a small failing tail of structurally hard grids.

Drilling into a case study. Let’s zoom into a single representative grid, the Texas2k summer-peak grid (opens in new tab), to show how the learned representation separates feasibility and ROC for predicting.

Representation. Figure 3 visualizes the model’s learned representation of each Texas2k scenario. We project the per-graph representation (128-dimensional) onto two axes (LD1, LD2) chosen to maximally separate the scenario classes: real-feasible, real-infeasible, and synthetic-infeasible. Squeezing 128 dimensions into 2 inevitably loses information, so this view exaggerates apparent overlap: classes that look mixed here may still be cleanly separable in the full 128-dimensional space the model uses. The shaded cloud shows where graphs of each class concentrate, and the cross at the center of each cloud marks the class centroid, the average position of all graphs of that class. Centroids that sit far apart mean the model treats those classes as clearly distinguishable. Where two shaded clouds overlap, the model is producing similar embeddings for graphs with different labels.

Figure 3. Linear discriminant projection of grid embeddings on the Texas2k scenarios. Real feasibles (green), real infeasibles (red), and synthetic infeasibles (orange), projected onto two axes (LD1, LD2) chosen to maximize between-class separation. Crosses mark class centroids; shaded clouds show where each class concentrates. Overlap between clouds means the model produces similar embeddings for graphs in those classes; in the full 128-dimensional space the model may still separate them along directions not shown.

Operation and ROC. The score itself is continuous and ranking-calibrated. Figure 4 shows the ROC over its test mix: AUC = 0.986. At the natural operating point the same score, thresholded as a binary classifier, yields 95.5% accuracy. Per-mode detection at that threshold is 99–100% on the three perturbation modes that drive a constraint cleanly past its limit.

Figure 4. ROC curve of the GridSFM stress score for feasibility on the Texas2k summer-peak test mix (real feasibles + solver-labeled infeasibles + synthetic perturbation modes that drive a constraint past its limit). Area under the curve = 0.986, binary accuracy 95.5% at the natural operating point. The score is calibrated for ranking; where to draw the binary cutoff is an operator choice. 

Triage cutoff. For routing scenarios into action buckets, Figure 5 shows the stress-score distribution per population. Operators pick the cutoff that matches their workflow: very-confident feasibles pass through to indicative dispatch; very-confident-stressed scenarios are flagged for engineering review; the borderline middle band is sent to the solver for verification. The cutoff sets the balance between solver budget and screening miss-rate.

Figure 5. Distribution of the model’s feasibility logit on the same Texas2k test scenarios, split by population: real-feasibles (green), real-infeasibles (red), and synth-infeasibles (orange). The dashed vertical line is the decision boundary where logit=0. Samples to the right are predicted feasible. At this operating threshold, real-feasible pass through at 99.5%, real-infeas are correctly flagged at 90.4%, and the synthetic perturbation are caught at 88-100%. 2. GridSFM as a fast approximation

GridSFM’s prediction can be used in two ways without producing an exact AC-OPF solution from scratch: as a standalone dispatch and cost estimate, or as the initial guess (warm-start) for an exact numerical solver. We compare both against the same two reference points throughout: full AC-OPF (the ground-truth optimum) and DC-approximation (the established fast baseline). All numbers below come from the same test set of 54 grids scenarios GridSFM-Open, with solver solve_time measured per scenario under single-core CPU pinning.

Standalone cost estimate

When an exact solver round-trip is not required, GridSFM’s predicted dispatch can be costed directly. In our test set, GridSFM-Open and DC-approximation fall in the same accuracy class: comparable means (DC 2.80%, GridSFM 3.41%), comparable medians (DC 1.81% vs GridSFM 2.23%), and overlapping per-scenario distributions across two decades of cost gap (Figure 6). They have complementary failure modes rather than one dominating the other.

Figure 6. Per-scenario cost-gap distribution from AC-OPF ground truth: DC-approximation (blue) and GridSFM (green) across the 54-grid GridSFM-Open benchmark. Filled KDE + per-scenario dots underneath; light dashed lines mark mean (–) and median (:). DC: mean 2.8%, median 1.81%, <5% gap on 90% of scenarios. GridSFM: mean 3.41%, median 2.23%, <5% gap on 90% of scenarios. The two distributions overlap heavily in the body — methods are in the same accuracy class with complementary failure modes. Reference dashed line at 5%.

Both distributions look the same in shape: a single peak in the 2–3% gap range, with the bulk of scenarios under 5% and a small tail of outliers extending out into the >25% range. The outlier tails come from different sources: DC fails on grids where its no-reactive linearization is structurally wrong (case1803_snem and a handful of meshed transmission grids); GridSFM’s outliers are concentrated on a few of our open sourced grids whose AC-OPF reference itself required additional constraint relaxation to become feasible (opens in new tab), so the ground-truth target on those grids is noisier and the gap partly reflects reference-side instability. The two limitations close along orthogonal axes: DC’s ceiling is fixed by the linearization and does not improve with more data or compute; GridSFM’s tail closes with cleaner reference labels and more training data on those grid families.

The differentiating value of GridSFM is therefore not the standalone cost number, but that GridSFM produces a full AC operating point including voltages and reactive power. This allows operators to directly assess the state of the grid. This is important since the feasibility and security of a system is often determined by the voltage and reactive power limits, but neither are considered in DC-OPF.  At the same time, the operating point also enables the warm-start workflow, as we describe next.

Warm-start handoff

An AC-OPF solver works by iteratively refining an initial guess of the operating point until the optimality conditions are satisfied, and the number of refinement iterations it needs depends directly on how close the initial guess starts to the true optimum: a poor starting point can require thousands of iterations, a near-optimal one only a couple. A cold start (also known as a flat start) sets voltage magnitude to 1.0 per unit and angle to zero  on every bus, so the solver does the full amount of work. A warm start replaces that generic value with a closer estimate to make the solver converge faster. DC-approximation warm-start solves the linearized DC-OPF version of the problem first and seeds the AC solver with that solution. Whereas, GridSFM warm-start runs a single forward pass through the model and seeds the solver with its predicted voltage angles and active dispatch. The absolute ceiling on how much any warm-start can help is what we call the GT (ground-truth) ceiling: we run the full AC-OPF solve once at high precision to find the true optimum, then re-run the solver with that exact solution as the warm start seed. This is the practical limit on solving time and therefore the ceiling on speedup. 

Figure 7. Warm-start speedup over AC-OPF cold start, across the 54-grid test set (log-scale x axis). GridSFM (green, sits cleanly right of the cold-start reference) achieves a geomean speedup of 1.66×, and outperforms cold start on 41 of 54 grids ; DC-approximation (blue) achieves a geomean speedup of 1.04× and improves performance on 34 of 54 grids; the GT ceiling (gold,  geomean 2.72×) is the upper bound on warm-start headroom. Each method’s ratio is computed within the same Julia process to remove cross-run timing noise. 

Our profile showed that GridSFM warm-start is 1.66× faster than cold start and 1.59× faster than DC-approximation warm-start (geometric means across the 54 grids test scenarios) and is faster than both baselines on 41 of 54 grids. The largest per-grid speedups exceed 7× over cold on the meshed transmission grids (Texas2k summer-peak, case2742_goc). DC-approximation warm-start, by contrast, is a wash on average across this broader grid mix (geomean 1.04× vs cold), DC saves on AC iterations on some grids and spends them rebuilding voltage/reactive on others.

The gap between the GridSFM distribution in Figure 7 and the GT-ceiling distribution (2.72× geomean) can be closed by improving GridSFM’s residual reactive-power and voltage prediction error, both targeted by the next release.

Generalization

We tested whether GridSFM-Open acts like a true foundation model by running it on a grid it had never seen before: the 6,470-bus case6470_rte from OPFData (opens in new tab), about 1.4× larger than any grid in training.

In a zero-shot setting, performance drops as expected. Cost error increases from 3.35% in-sample to about 14% on the new grid. Voltage predictions capture only about 27% of the true variation and appear nearly flat. The feasibility classifier flags every scenario as infeasible. Even so, the model still preserves the correct ordering of costs across scenarios.

With light fine-tuning, performance recovers quickly. After 10 epochs on 1,000 scenarios, cost error falls to 1.12%, voltage variation reaches 91% of the true signal, and feasibility detection becomes nearly perfect. An N-1 contingency split that was fully held out during fine-tuning matches the full-topology results within 0.2 percentage points on all metrics, showing that adaptation transfers across contingencies.

The model adapts even with very limited data. With just 10 scenarios, cost errors are 1.76% and feasibility detection exceeds 90%, with strong results already on cost and active power dispatch. Voltage magnitude is slower to recover and needs closer to 1,000 scenarios (see Table 1).

This test showed that GridSFM-Open already captures AC-OPF physics during pre-training. Adapting to a new grid is mostly a matter of calibration rather than relearning. The released checkpoint can therefore serve as a practical starting point for users to fine-tune on their own topology and tasks.

Fine-tune scenariosCost errorFeasibility Detection0 (0-shot)14%0 (Collapsed)101.76%92%1000.88%97%10001.12%99%Table 1: Few-shot fine-tuning of GridSFM-Open on case6470_rte (held-out test split, 10 epochs per row): even ~10 scenarios already give useful cost and feasibility predictions. Looking ahead

Active directions for the next release:

  • Generalization. Tighter accuracy on grids and operating conditions outside the training mix. The current out-of-distribution analysis is in the white paper.
  • Continued accuracy improvements across all prediction channels, narrowing the residual gap between Figure 7’s GridSFM distribution and the gold GT-ceiling.
  • Multi-snapshot extensions. Unit commitment (discrete on/off generator decisions across time), weather-conditioned scenario generation, dynamic-stability surrogates.

We previously released the GridSFM_US _Powergrid_dataset (opens in new tab). This release adds the first open AC-OPF model that supports multiple grid topologies, completing a stack of open topology data, open code, and open weights for ML-driven grid simulation and planning. We see it as a starting point for the community to build richer simulators, planning workflows, and decision-support tools without re-creating the data or the model from scratch. The applications we expect to see most leverage from are the ones where the cost of a single solve has historically forced cherry-picking: contingency screening, transmission expansion planning, demand-siting analysis, and resilience studies under extreme weather. 

Everything in the GridSFM-Open tier is released for research use today:

GitHub Hugging Face White Paper Project Page

A note on GridSFM-Premier. The larger production-scale tier is not part of this open release. If you are interested in evaluating it, collaborating with us, or otherwise getting access, please contact us at gridFM@microsoft.com.

Opens in a new tab

The post GridSFM: A new, small foundation model for the electric grid appeared first on Microsoft Research.

Categories: Microsoft

Advancing AI for materials with MatterSim: experimental synthesis, faster simulation, and multi-task models

Microsoft Research - Tue, 05/12/2026 - 15:00
At a glance
  • Experimental validation: Using high-throughput screening with MatterSim-v1, we previously identified tetragonal tantalum phosphorus (TaP) as a potential high-performance thermal conductor. Now we have experimentally synthesized it and measured its thermal conductivity (152 W/m/K) to be close to the thermal conductivity of silicon.
  • Faster simulation: We have accelerated MatterSim-v1 model inference by 3-5x and integrated it with the LAMMPS software package, enabling large-scale simulations across multiple GPUs.
  • New model release: We are introducing MatterSim-MT, a multi-task foundation model for in silico materials characterization that enables the simulation of complex, multi-property phenomena beyond what potential energy surfaces alone can capture.

Materials design underpins a wide range of technological advances, from nanoelectronics to semiconductor design and energy storage. Yet development cycles for novel materials remain slow and costly. Universal machine learning interatomic potentials aim to accelerate the materials design process by providing accurate stability and property predictions for a wide range of materials. These models are orders of magnitude faster than traditional first-principles simulations, turning previously impractical problems into routine computations that can be completed in a few hours. Since we launched our MatterSim-v1 model, it has gained popularity in the materials science community for its ability to accurately simulate materials under realistic conditions, including finite temperature and pressure.

Today, we have several exciting MatterSim updates to share. These include experimental validation of MatterSim predictions for thermal conductors, performance improvements for faster simulation, and the introduction of a new multi-task foundation model for materials characterization.

Experimental validation Figure 1: Based on MatterSim’s computational predictions, we have synthesized a potential high thermal conductor. Left: MatterSim predictions of thermal conductivity compared to ground-truth simulation and experiment (with ±50% error band shown for reference). Right: Different views of the experimentally synthesized tetragonal tantalum phosphorus (TaP) sample with measured thermal conductivity of 152 W/m/K.

Materials with high thermal conductivity play a critical role in heat management, preventing overheating and improving energy efficiency. For example, established high thermal conductors like diamond, copper and silicon are widely used across a broad range of cooling applications. Designing next-generation thermal conductors may enable advances in computing, power electronics, and aerospace technologies. However, doing so requires accurate predictions of thermal conductivity values for candidate materials.

In solids, heat is carried in two main ways: by vibrating atoms (phonons) and by moving electrons. The phonon contribution can be estimated using machine-learning interatomic potentials to enable screening of thousands of candidates, narrowing the search space to the most promising materials before expensive experimental validation.

“MatterSim has generated by far the largest database of computational thermal conductivities. This opens the door to exploring a far broader materials space than before […].”

– Prof. Bing Lv, University of Texas Dallas

In collaboration with the University of Texas Dallas (UT Dallas), University of Illinois Urbana-Champaign, and University of California Davis (UC Davis), we have used MatterSim-v1 to screen over 240,000 candidate materials for high thermal conductors. As shown in Fig. 1 (left), MatterSim’s predictions have good agreement with first-principles simulations. Prof. Davide Donadio from UC Davis: “I was amazed by how the MatterSim model combined accuracy and computational efficiency to predict such a sensitive property as thermal conductivity. That was the key that unlocked screening at this scale, hundreds of thousands of crystals, that would have been completely out of reach with conventional methods.” Prof. Bing Lv from UT Dallas adds: “MatterSim has generated by far the largest database of computational thermal conductivities. This opens the door to exploring a far broader materials space than before, enabling the community to uncover a broader set of viable materials even after imposing practical requirements.”

“For the first time, we can test conventional understanding of what controls thermal conductivity at scale […]”

– Prof. David Cahill, University of Illinois Urbana-Champaign

Based on these predictions, we have identified tetragonal tantalum phosphorus (TaP) as a potential high thermal conductor. We have experimentally synthesized tetragonal tantalum phosphorus (TaP) at UT Dallas and measured its thermal conductivity at University of Illinois Urbana-Champaign (152 W/m/K for our best samples), close to the thermal conductivity of silicon. While we are not the first to synthesize tetragonal TaP, the material has not been considered as a thermal conductor before. These results demonstrate how MatterSim can enable the identification of functional materials: “For the first time, we can test conventional understanding of what controls thermal conductivity at scale, while enabling the discovery of new functional materials that balance it with other important constraints such as mass density, elemental abundance, and environmental stability”, says Prof. David Cahill from University of Illinois Urbana-Champaign.

PODCAST SERIES

The AI Revolution in Medicine, Revisited

Join Microsoft’s Peter Lee on a journey to discover how AI is impacting healthcare and what it means for the future of medicine.

Listen now Opens in a new tab Performance improvements

We are making MatterSim-v1 significantly faster by releasing several open-source performance and usability improvements. First, we speed up model inference through a combination of faster graph construction, ahead-of-time compilation and reduced conversion between atomic representations, resulting in a 3x speed-up of MatterSim-v1.0.0-5M and a 5x speed-up of MatterSim-v1.0.0-1M (see Fig. 2). To make MatterSim-v1 easier to use, we have integrated it into the widely used LAMMPS simulation software, allowing users to easily scale model inference across multiple GPUs in their existing workflows.

Figure 2: 3x inference speed-up of MatterSim-v1.0.0-5M and 5x inference speedup of MatterSim-v1.0.0-1M (python). New model release

Building on the success of MatterSim-v1, today we extend the MatterSim model family by announcing MatterSim-MT: a multi-task (MT) foundation model for in silico materials simulation and property characterization. The model natively predicts energies, forces, stress and several important materials properties.

MatterSim-MT is pretrained on over 35 million first-principles-labelled structures covering 89 elements, temperatures up to 5000 K and pressures up to 1000 GPa. It is further fine-tuned on various properties including Bader charges, magnetic moments, Born effective charges, and dielectric matrices. Out of the box, MatterSim-MT serves as a foundation model for predicting material structure, dynamics and thermodynamics. Its multi-task architecture also enables a wide range of complex simulations that cannot be captured by potential energy surfaces alone. The ability to accurately simulate these phenomena is crucial for applications such as catalysis and energy storage.

Here, we illustrate these multi-task capabilities through three case studies: vibrational spectroscopy, ferroelectric switching, and electrochemical redox. Each example requires a distinct combination of property predictions. In the full manuscript, we also show that MatterSim-MT scales well with more data and parameters, can be efficiently fine-tuned to higher levels of theory, and can be systematically extended to new systems via active learning.

Figure 3: MatterSim‑MT’s multi-task prediction ability enables simulating complex material phenomena. (a) Illustration of the multi-task inference capabilities of MatterSim-MT, including predictions of energy (E), forces (F), stress (S), magnetic moments (μ), Born effective charges (Z∗), and dielectric matrices (ε∞) from atomic structures. (b) Pressure-dependent phonon spectrum of silicon carbide (SiC) up to 100 GPa, with inset comparing MatterSim’s predicted longitudinal optical (LO) and transverse optical (TO) splitting against experimental measurements. (c) Predicted hysteresis curve of polarization density as a function of the electrical field along the z direction in the ferroelectric tetragonal BaTiO3 material. (d) Evolution of oxygen Bader charge distributions in Li1.2 – xMn0.8O2 during delithiation, with arrows indicating the formation of an O2 molecule.

First, we focus on vibrational spectroscopy, a technique that identifies substances by measuring how their atomic bonds naturally vibrate. We demonstrate how predictions of Born effective charges and dielectric properties enable the computation of phonon spectra in polar crystals. In these materials, oppositely charged ions vibrate against each other. Depending on the direction of vibration, this can lead to a buildup of charge that creates a macroscopic electric field, splitting the optical phonon modes into higher-frequency longitudinal (LO) and lower-frequency transverse (TO) branches. As a case study, we simulated this behavior in 3c-silicon carbide (3c-SiC), a material used in high-power electronics, under extreme pressures. As shown in Fig. 3(b), MatterSim-MT predicts a Born effective charge in close agreement with both theoretical and experimental values. The resulting LO-TO splitting of 5.26 THz deviates by only 0.06 THz from ab initio calculations and 0.03 THz from experimental measurements.

The predicted Born effective charges also allow us to simulate how systems respond to an external electric field. In ferroelectric materials, ions adopt an asymmetric arrangement that gives the crystal a net electric polarization that can be flipped by an applied field. In Fig. 3(c), we demonstrate this by simulating barium titanate (BaTiO3) under an applied electric field, reproducing the switching of its polarization. The resulting hysteresis curve correctly shows that finite-temperature effects at 300 K make it easier to flip the polarization, even though the predicted spontaneous polarization (38 μC/cm2) is slightly higher than the experimental value (26 μC/cm2). This discrepancy is likely due to the well-known underbinding of the underlying first-principles calculations.

Finally, we predict atomic charges to study the electronic degrees of freedom in chemical bonding and redox processes. We examine the behavior of the cathode material Li1.2 – xMn0.8O2 during a simulated battery charging process. These lithium-rich transition-metal oxides are promising next-generation batteries due to their high energy density but suffer from irreversible capacity loss associated with the anionic oxygen redox mechanism. We reproduced this phenomenon by running molecular dynamics simulations at 1000 K and progressively extracting Lithium to mimic battery charging. We observe a clear shift over time: at first, the manganese (Mn) atoms supply the electrons needed for charging, but as more lithium is removed, oxygen atoms are forced to give up electrons instead (cationic to anionic redox), as shown by the shift to less negative Bader charges over time (Fig. 3(d)). This destabilises the structure with oxygen atoms pairing up to form O2 dimers (Fig. 3(d), inset). Notably, this comprehensive picture of the cationic-to-anionic redox transition and lattice degradation naturally emerges from the multi-task predictions, without any task-specific training on battery materials.

Next steps

With experimental validation, substantial performance improvements, and new multi-task capabilities, MatterSim is advancing toward more practical, decision-relevant use in materials design. Together, these developments are helping materials scientists move more quickly from large-scale computational screening to targeted experimental follow-up and decision-relevant scientific workflows. We are excited to see how the materials science community applies these advances in their own domains.

We look forward to continued collaboration as MatterSim is tested, extended, and integrated into real-world materials discovery pipelines.

MatterSim updated MatterSim-MT Pre-Print Acknowledgements

This work is the product of a highly collaborative and interdisciplinary effort led by Microsoft Research AI for Science in partnership with Microsoft Research Accelerator and collaborators at the University of Texas Dallas (supported by MSR Accelerator), University of Illinois Urbana-Champaign and University of California Davis. Contributors to this work include Han Yang, Xixian Liu, Chenxi Hu, Yichi Zhou, Yu Shi, Chang Liu, Junfu Tan, Jielan Li, Guanzhi Li, Qian Wang, Yu Zhu, Zekun Chen, Shuizhou Chen, Fabian Thiemann, Claudio Zeni, Matthew Horton, Robert Pinsler, Andrew Fowler, Daniel Zügner, Tian Xie, Lixin Sun, Yicheng Chen, Lingyu Kong, Yeqi Bai, Deniz Gunceler, Frank Noé, Hongxia Hao, Ziheng Lu, Zixin Zhai, Mengfan Wu, Haoke Qiu, Mingfa Tang, Tie-Yan Liu, Haiguang Liu, Tao Qin, David G. Cahill, Bing Lv, Davide Donadio, Shoko Ueda, and Kenji Takeda.

Opens in a new tab

The post Advancing AI for materials with MatterSim: experimental synthesis, faster simulation, and multi-task models appeared first on Microsoft Research.

Categories: Microsoft

SocialReasoning-Bench: Measuring whether AI agents act in users’ best interests

Microsoft Research - Mon, 05/11/2026 - 19:19
At a glance
  • AI agents are moving into social contexts. When agents manage calendars, negotiate purchases, or interact with other agents on a user’s behalf, they need more than task competence—they need social reasoning.
  • SocialReasoning-Bench evaluates that ability. The benchmark tests whether an agent can negotiate for a user in two realistic settings: Calendar Coordination and Marketplace Negotiation. 
  • The benchmark measures both outcomes and process: it scores agents on outcome optimality (how much value they secure for the user) and due diligence (whether they follow a competent decision-making process). 
  • Current frontier models often leave value on the table. They usually complete the task, but they frequently accept suboptimal meeting times or poor deals instead of advocating effectively for the user. 
  • Prompting helps, but it is not enough. Even with explicit guidance to act in the user’s best interest, performance remains well below what a trustworthy delegate should achieve.

As AI agents take on more real-world tasks, they are increasingly operating in social contexts. With the right integrations, agents like Claude Cowork and Google Gemini can manage email and calendar workflows. In these settings, the agent must interact with others on your behalf. This requires social reasoning — understanding what you want, what the counterparty wants, and what information to reveal, protect, or push back on.

Our previous research suggests that today’s frontier models lack social reasoning. In our simulated multi-agent marketplace, agents accepted the first proposal they received up to 93% of the time without exploring alternatives. When red-teaming a social network of agents, a single malicious message spread through the system and led agents to disclose private data before passing the message along.

This kind of relationship has a long history outside AI. In economics and law it is called a principal-agent relationship: an agent acts on a principal’s behalf in interactions with others whose interests differ. Attorneys, real-estate agents, and financial advisors all operate in this mode, and the duties they owe—care, loyalty, confidentiality—are codified in centuries of professional norms. AI agents acting on a user’s behalf should ultimately be held to similar standards.

To measure and drive progress in social reasoning, we built SocialReasoning-Bench:  a benchmark for testing whether agents can reason and negotiate on a user’s behalf against a counterparty with independent goals, private information, and potentially adversarial intent.

Introducing SocialReasoning-Bench Figure 1: Our benchmark measures agents’ social reasoning ability in two domains, calendar coordination and marketplace negotiation. Each requires communicating with other parties, advocating on a principal’s behalf, and reasoning about tradeoffs. 

SocialReasoning-Bench evaluates social reasoning in two domains: Calendar Coordination and Marketplace Negotiation. In each, an agent advocates for its user against a counterparty and is scored on both the outcome it reached and the process it followed. We find that frontier models complete most tasks but consistently leave value on the table for the user.

Calendar coordination

In calendar coordination, an assistant agent manages a user’s calendar on a single day and fields a meeting request from another agent.

We assume the agent has access to a value function over time slots that captures the user’s scheduling preferences between 0.0 and 1. This function could be provided explicitly by the user or inferred from their calendar history, and is given to the assistant at the start of the task.

The counterparty is a requestor agent representing another person who wants to schedule a meeting with the user. The counterparty has its own value function over the same slots, constructed as the inverse of the user’s, so the slots most valuable to one are least valuable to the other. Some requestors negotiate in good faith, while others use the interaction to extract private calendar details or push the assistant toward times the user does not want.

In each task there is a zone of possible agreement (ZOPA) a term borrowed from negotiation theory for the set of outcomes that both parties could plausibly accept. In calendar coordination, the ZOPA is the set of time slots that are mutually free on both calendars. We construct every task so that the ZOPA contains at least three slots with different preference scores for the user, and the requestor’s opening request always conflicts with the user’s calendar.

Marketplace negotiation

In marketplace negotiation, a buyer agent representing a user negotiates with a seller agent to purchase a single product.

The user wants to pay as little as possible for the product. Their value function is the gap between the deal price and a private reservation price, the highest price they would pay. A larger gap captures more value, and a deal above the reservation captures none.

The counterparty is a seller agent with its own private reservation price set below the buyer’s. The counterparty’s value function mirrors the user’s, with higher deal prices yielding more value and deal prices below the seller’s reservation price yielding no value.

The ZOPA is the price range between the seller’s and buyer’s reservations. The seller’s opening offer is always above the buyer’s reservation, forcing the buyer to negotiate the price down.

New metrics for a new setting

Existing benchmarks focus on task completion: did the meeting get scheduled? Did the trade close? In principal–agent settings, what matters is not just whether the task is completed, but how well it is done. We introduce new measures to capture this distinction.

Outcome Optimality

Outcome optimality scores the share of available value the agent captured for its principal, on a 0-to-1 scale. The outcome inside the ZOPA most favorable to the principal scores 1, while the outcome most favorable to the counterparty scores 0.0. Intermediate outcomes are scored by where the principal’s value function places them between those two endpoints.

Due Diligence

Outcome optimality alone conflates skill with luck. An agent that immediately accepts a counterparty’s first offer, without inspecting its situation or making a counter-proposal, can still score well if the counterparty happens to propose a good outcome. To separate skill from luck, we introduce a process metric.

Due diligence scores process quality on a 0-to-1 scale by comparing the agent’s actions, at each decision point in the trajectory, against the action a deterministic reasonable-agent policy would have taken in the same state. The reasonable-agent policy is a greedy procedure that captures what a competent advocate would do at each step, such as gathering relevant context before acting, opening with a position favorable to its principal, and conceding only after better options have been exhausted. The Due Diligence score is the rate at which the agent’s actual choices match the reasonable-agent’s choices over the trajectory.

Duty of care

Together, Outcome Optimality and Due Diligence form an operational notion of an agent’s duty of care to the person it represents. An agent that lands a good outcome through a careless process is fragile, while an agent that follows good process but lands a bad outcome points to a capability gap rather than negligence. Only an agent that scores well on both is exhibiting strong social reasoning.

Spotlight: Microsoft research newsletter

Microsoft Research Newsletter

Stay connected to the research community at Microsoft.

Subscribe today Opens in a new tab Experimental setup

For the calendar assistant agent and marketplace buyer agent, we evaluate GPT-4.1 with chain-of-thought, GPT-5.4 at high reasoning effort, and Claude Sonnet 4.6 and Gemini 3 Flash at high thinking levels. The counterparty (i.e. requestor in calendar coordination, and seller in marketplace negotiation) is always Gemini 3 Flash with medium reasoning effort, held constant across all conditions so that any difference in scores reflects the model under test rather than the difficulty of its opponent.

Each model is run under two prompt conditions: Basic Prompting where the agent receives only role and tool descriptions, and Defensive Prompting where the agent additionally receives explicit guidance to consult all available sources and advocate for the user toward the best possible outcome.

Each task runs for 10 negotiation rounds, at most. The counterparty proposes first in every task.

What we’re finding Finding 1: Agents complete tasks at near-perfect rates but produce poor outcomes.

In calendar scheduling, agents almost always succeed in booking the meeting, but most often at suboptimal times. In marketplace negotiation, deals almost always close, but frequently at the worst possible price. The tasks get done, but not done well: task completion signals success, while Outcome Optimality reveals a consistent failure to act in the principal’s best interest.

Figure 2: Task Completion vs Outcome Optimality by model and domain. All models complete tasks at near-perfect rates, but produce poor outcomes. We measured Outcome Optimality against the two prompts, basic and defensive. Defensive prompting helps but does not close the gap.  Finding 2: Defensive prompting helps, but is not enough to close the gap.

When we instruct agents on how to work hard on their principal’s behalf, we see outcome improvements across both domains, but it is not enough to close the gap. GPT-5.4 benefits most from defensive prompting (+0.21 in calendaring, +0.12 in marketplace), while GPT-4.1 barely responds to it in either domain. The other models fall somewhere in between.

Finding 3: Outcome optimality shows how much value agents leave on the table.

Outcome optimality reflects where each deal lands within the ZOPA. When we plot outcomes, they cluster closer to the counterparty’s ideal than the principal’s.

Figure 3: Outcome Optimality (OO) distribution by model and domain. Each dot is one task instance. OO=1.0 means the agent captured all available value for its principal; OO=0.0 means the counterparty captured everything. Black lines show the mean. In marketplace, outcomes cluster near zero across all models. In calendar, agents perform better but still settle below the midpoint on average. 

In marketplace negotiation, all models settle at or near zero for Outcome Optimality, accepting deals that give away virtually all available surplus. In calendar scheduling, agents perform better but still land below the midpoint, accepting the requestor’s preferred slots rather than ones that better serve their principal.

Measuring value capture in agent negotiations builds on recent studies examining how agents perform in marketplace settings. Because we operate in a controlled setting, we can establish ground-truth constraints for both parties and measure exactly how the available value was divided. Our formulation also generalizes beyond price-based negotiations: by abstracting to a domain-specific value function, Outcome Optimality can measure surplus division in any setting where agents face competing incentives, including non-monetary domains like calendar scheduling where “value” is defined over preference scores rather than prices.

Finding 4: Due Diligence helps distinguish between luck and skill.

When we look at the combination of outcome quality and process quality, a more nuanced picture emerges. Many agents that achieve reasonable outcomes do so through fragile processes: they don’t check context before acting or they accept offers without countering. High Outcome Optimality with low Due Diligence suggests an agent that got lucky rather than one that can be trusted. Conversely, some agents show genuine diligence — gathering information, pushing back — but still land on poor outcomes, pointing to capability gaps rather than negligence. Dividing Outcome Optimality and Due Diligence each into high (>=0.5) and low (<0.5) buckets, we can sort every task into one of four archetypes.

Not diligent (DD < 0.5)Diligent (DD ≥ 0.5)Good outcome (OO ≥ 0.5)LuckyRobustPoor outcome (OO < 0.5)NegligentIneffective

Through the lens of this decomposition, we can see that models exhibit robust duty of care on more than 50% of calendar coordination tasks, with Gemini 3 Flash leading at 90% robust. In marketplace negotiation, though, a very different picture emerges. GPT-4.1 is negligent in 95% of tasks, neither gathering information nor advocating for its principal, while Claude Sonnet 4.6, GPT-5.4, and Gemini 3 Flash show ineffective behavior in roughly 90% of marketplace tasks, negotiating diligently but still unable to achieve good outcomes. 

=0.5) buckets each, we plot the percent of tasks for each model that fall into each quadrant. For example, in calendar scheduling, GPT-4.1 achieves both high OO and high DD (Robust) in 63% of tasks. In contrast, in the marketplace domain, GPT-4.1 exhibits low OO and low DD (Negligent) in 95% of tasks. " class="wp-image-1171332"/>Figure 4: Splitting Outcome Optimality and Due Diligence into “low” (<0.5) and “high” (>=0.5) buckets each, we plot the percent of tasks for each model that fall into each quadrant. For example, in calendar scheduling, GPT-4.1 achieves both high OO and high DD (Robust) in 63% of tasks. In contrast, in the marketplace domain, GPT-4.1 exhibits low OO and low DD (Negligent) in 95% of tasks

Figures 5-8 illustrate these different behaviors and failure modes with real examples from SocialReasoning-Bench in the calendaring domain. We see agents that follow a strong negotiation strategy and secure high-value outcomes, but also agents that achieve reasonable outcomes through sloppy processes, such as failing to propose the principal’s best option. Others begin with a strong position but concede prematurely, collapsing to poor deals. At the extreme, some agents exhibit negligent behavior, accepting the first proposal without checking constraints, even when it directly conflicts with the user’s interests.

Figure 5. A real paraphrased example of robust behavior from GPT-4.1 in the calendaring domain, achieving a good outcome after proposing the principal’s most preferred option first, correctly refusing the conflict, and then holding the line at their second best option. Figure 6. GPT-4.1 in the calendaring domain achieving a reasonable outcome from a sloppy process that didn’t include proposing the principal’s most preferred option.  Figure 7. GPT-4.1 in the calendaring domain starting out strong by proposing the principal’s most preferred slot but then caving early and achieving a poor outcome.  Figure 8. GPT-4.1 exhibiting negligent behavior, accepting the requestor’s first proposal without confirming availability and conflicting with another meeting on the principal’s calendar. 

Taken together, these examples highlight why outcome alone is insufficient. Without measuring process, we risk mistaking brittle or accidental success for genuine capability. Due Diligence helps surface whether an agent is consistently behaving like a competent, trustworthy delegate, or simply getting lucky.

Finding 5: Agents are vulnerable to adversarial manipulation

When we stress test agents by pitting them against adversarial counterparties, we find that agents struggle to balance when to engage, when to refuse, and how to negotiate under pressure.

To create these adversarial scenarios, we introduce counterparties explicitly trying to manipulate outcomes or bypass protective steps. Some follow carefully designed strategies, applying pressure or probing for information, while others use more unpredictable, creatively generated whimsical tactics that mimic novel forms of social engineering. Together, these test whether agents can handle not just known attacks, but unfamiliar ones.

Figure 9: Refusal Rates and Outcome Optimality when agents engaged with adversarial requestors in both domains. Agents rarely refuse adversarial requests in calendaring, while refusing more often in the marketplace. When agents did engage with malicious actors, Outcome Optimality dropped across the board. 

We find that, aside from Claude Sonnet 4.6, agents rarely refuse adversarial requests in calendar scheduling, while refusing more often in marketplace settings. This suggests that adversarial intent is harder to detect in socially framed interactions. When agents do engage, the impact is starkest in calendar scheduling with Outcome Optimality dropping substantially across GPT-4.1, GPT-5.4, and Gemini Flash 3, suggesting that adversarial counterparties successfully steer these agents toward worse outcomes. In the marketplace domain, Outcome Optimality when agents engaged remains comparable to the low levels achieved against benign counterparties, capturing little to no value for their principals.

Why this matters now

Agents are interacting with each other in multi-party environments, from collaborating across enterprise workflows to transacting in digital marketplaces. As these networks form, the social reasoning gaps we observe in simple two-agent settings can begin to compound. Weak negotiation, over-trust, or failure to exercise due diligence no longer stay local. They propagate through coordination, influence downstream decisions, and shape collective outcomes.  

In isolation, an agent that accepts a bad meeting time or a poor deal causes limited harm. In a network, those same behaviors can cascade, leading to systematically worse coordination or widespread value loss across many agents.

Recent work has begun exploring these risks and dynamics through case studies of agents interacting in networked settings. SocialReasoning-Bench complements this line of work by providing a controlled, reproducible benchmark that isolates interaction behaviors and makes them measurable. This allows us to move beyond anecdotes and systematically track progress, giving model, agent, and platform developers a concrete target for building agents that act as trustworthy delegates.

SocialReasoning-Bench is open source and available on GitHub (opens in new tab).

Limitations and future work

Our current measures treat all counterparties equally. In practice, relationships matter. A socially intelligent agent should modulate its assertiveness based on their principal’s relationship with the counterparty: pushing too hard when scheduling a meeting with a senior executive may damage a valuable relationship, and sometimes the right outcome is reached through compromise. Developing relationship-aware measures that account for power dynamics, rapport, and long-term consequences is an important direction for future work.

We evaluate social reasoning in simplified two-agent settings, whereas real-world delegation often involves multi-party dynamics such as group scheduling or multi-stakeholder negotiations. Each task is also treated as an independent encounter, with no modeling of long-term relationships, reputation, or trust-building across repeated interactions. Our scenarios are also limited to English-language and U.S.-centric business contexts, though social norms around negotiation, privacy, and hierarchy vary widely across cultures. Looking ahead, we plan to extend our benchmark to more diverse settings.

Finally, Outcome Optimality works well in settings with clear boundaries, where a “good” outcome can be defined and measured. But many tasks that require duty of care, such as drafting sensitive messages or navigating team dynamics, may not have a well-defined ZOPA. In these cases, outcomes depend on context, relationships, and judgment in ways that may resist a single score. Extending our approach to these more subjective settings is an important direction for future work.

Acknowledgements 

We would like to thank Brendan LucierAdam FourneyAmanda Swearngin, and Ece Kamar for their helpful feedback, discussions, and support of this work. 

Opens in a new tab

The post SocialReasoning-Bench: Measuring whether AI agents act in users’ best interests appeared first on Microsoft Research.

Categories: Microsoft

Building realistic electric transmission grid dataset at scale: a pipeline from open dataset

Microsoft Research - Fri, 05/08/2026 - 21:53
At a glance
  • We construct geographically grounded, electrically coherent power grid models entirely from publicly available data and release a dataset spanning 48 U.S. states and multi-state interconnections.
  • The models support AC optimal power flow (AC‑OPF) analysis, enabling physics-based study of congestion, capacity, and demand siting without restricted data.
  • We demonstrate applications including transmission expansion potential, targeted line upgrades, and placement of large datacenter loads.

Microsoft Research is excited to release an open dataset of approximate transmission topology of the U.S. power grid derived from publicly available data.

The ability to study transmission-level power grid behavior is essential for modern power systems research. Analyses of congestion, transmission expansion, demand growth, and system resilience all depend on network models with realistic topology, electrical parameters, and geographic grounding.

In most of the world, including the United States, realistic transmission-level grid data is classified as critical infrastructure information and subject to strict access controls. These restrictions exist for good reasons, but the resulting lack of realistic grid models is increasingly exacerbating the challenges power systems face. Decisions about where new load can be added – and how additional transmission assets can be deployed to support it – are often gated behind lengthy and opaque processes that can take years. For researchers developing new tools and algorithms, access typically requires long approval cycles, strict non-redistribution agreements, or costly commercial licenses.

As a result, many are left choosing between small “toy” networks with dozens of buses, or synthetic models that do not correspond to real infrastructure. This lack of realistic, shareable models is particularly limiting for data-driven and AI-based approaches, which require large volumes of physically plausible grid data for training and evaluation methods for grid analysis and planning.

Against this backdrop, a natural question arises:

Can we meaningfully understand how the U.S. power grid responds to modern stresses – and facilitate the development of actionable solutions for the system – using only open data?

In this work, we introduce an open-data-derived pipeline for constructing large-scale, transmission-level power grid models that realistically approximate existing networks without relying on proprietary or restricted datasets. We provide an open dataset derived from this process, consisting of transmission-level models spanning 48 U.S. states as well as interconnection-scale networks, ranging in size from small systems with as few as 11 buses to the full Eastern Interconnection grid connecting 21,697 buses. The pipeline has been validated across the continental United States, where sufficient open geographic, energy, and demographic data are available, and is designed to generalize to other regions with comparable public data sources. 

Using only publicly accessible datasets, the pipeline produces geographically grounded, electrically coherent transmission models at state, multi-state, and interconnection scales. These models preserve the geographic structure of transmission corridors, substations, and generators inferred from open data, while explicitly accounting for uncertainty where detailed operational parameters are unavailable through transparent feasibility reporting.

Importantly, these are not toy networks or abstract benchmarks. The resulting models support alternating current optimal power flow (AC-OPF) analysis across a wide range of scales, enabling physics-based investigation of questions such as where transmission capacity is physically constrained; where new demand can be absorbed; and how infrastructure changes propagate through realistic network layouts – using only open data.

In this post, we describe the approach at a high level and highlight the system level questions it enables.

How the pipeline works

The pipeline turns publicly available geographic and energy data into transmission-level grid models that are geographically grounded and usable for power flow analysis.

The starting point is OpenStreetMap (opens in new tab), which encodes the physical layout of transmission corridors, substations, and power plants. This geographic skeleton is then augmented with open datasets describing generation capacity, fuel mix, demand, and operational boundaries (including U.S. EIA energy statistics and U.S. Census data), allowing the models to go beyond topology and represent how electricity is produced and consumed.

The key test is solvability. In power system analysis, solving optimal power flow (OPF) problems is a practical check on whether a network description is electrically coherent and practically relevant. OPF determines how generation can be dispatched to meet demand while respecting physical constraints such as transmission line capacities, voltage limits, and generator capabilities. Many inferred or synthetic networks fail this test outright: the topology may appear roughly correct, but other important engineering parameters are not. 

Crucially, this approach moves beyond small benchmark or “toy” networks. In particular, we solve AC-OPF across the entire Eastern Interconnection, spanning 36 states and more than 20,000 buses, derived exclusively from public data sources. This demonstrates that open-data-derived models can produce convergent AC-OPF solutions at a continental scale. 

To be clear, these models are not exact replicas of the operational grid, nor are they intended for market forecasting or real-time operational decision making by power balancing authorities. Electrical parameters are estimated from standard engineering references, parallel circuits are approximated rather than exhaustively enumerated, and demand is allocated using public proxies derived from open data.

The goal is to produce structurally and electrically realistic models that preserve geographic structure and scale from individual states to large multi-region systems using only open data. Full methodological details, validation results, and limitations are described in a companion research paper. 

Why this matters for today’s energy challenges

Access to solvable, geographically grounded grid models unlocks questions that have become increasingly urgent as the energy system evolves, driven by large-scale datacenters, AI workloads, renewable generation, and extreme weather events. We illustrate these capabilities with concrete analyses on models derived from our pipeline.

Where can new transmission physically fit?

Before asking how much new capacity the grid needs, planners must first ask where more wires are even possible. Transmission corridors have a physical limit on how many circuits they can carry: each circuit requires three conductors, and most tower structures accommodate one to three circuits (three to nine conductors). Beyond that, adding capacity typically requires acquiring entirely new rights-of-way – which is expensive, legally complex, and often politically infeasible in urban areas. 

Because our models preserve the geographic structure of real transmission corridors from OpenStreetMap, we can count the number of parallel circuits along each path and visualize where the grid is already physically saturated.

Figure 1. Across the contiguous United States (top), the model identifies 31,488 distinct transmission corridors. The overwhelming majority (27,506) carry a single circuit (green), making parallel lines easier. The roughly 4,000 corridors in orange through red already carry two or more parallel circuits, with the densest packing ten circuits (30 conductors) onto a single path. Zooming into California (bottom), the pattern becomes more discernable. The red corridor north of Sacramento and the orange clusters around the Bay Area and LA basin show where the grid is already physically dense, while the long green radials across the Mojave and into Nevada still have room to grow.

Identifying where the grid is physically boxed in, regardless of generation or demand, is not an optimization problem. It is a spatial feasibility question that geographically grounded models are uniquely positioned to answer.

What if we add capacity where it is needed most?

In dense urban areas, adding new traditional transmission lines is often impractical. The combination of tightly packed buildings, roadways, and complex underground infrastructure leaves little room to establish rights-of-way for high-voltage lines. Alternative power‑transmission solutions are sometimes explored to support urban grid expansion. For example, high-temperature superconducting (HTS) cable systems offer an order-of-magnitude higher ampacity for a given cross-section, enabling the transfer of large amounts of power at lower voltages and simplifying permitting requirements.

Short point-to-point superconducting power links have already been demonstrated in U.S. cities: Columbus, Ohio, Albany, New York, Long Island, New York (decommissioned), and Chicago (operational).

To explore what such connections might accomplish, we modeled two hypothetical HTS links in the Massachusetts grid, each connecting a substation northwest of Boston to load centers closer to the city. We then re-solved AC-OPF and compared the results to the unmodified baseline.

Figure 2. In the baseline (top), one transmission line exceeds its thermal rating (≥100%, dark red) and two more operate above 90%. After adding two HTS links (bottom, dashed lines), every line in the network drops below 90% loading. The energy price falls 42%, from $22.7/MWh to $13.1/MWh, as generation that was previously bottlenecked behind constrained corridors becomes deliverable.

This is precisely the kind of insight that publicly available price data cannot provide. Wholesale electricity prices reflect whether congestion exists, but not how close the system is to congestion nor how power flows change when new assets are added. A line operating at 95% of its thermal limit and one at 50% look identical in market data – until one of them reaches capacity. Physics-based models expose that margin directly, making it possible to evaluate interventions before they are built. 

Where should new demand go?

Rapid growth in electricity demand raises a question that existing market signals answer poorly: where on the network can new consumption be absorbed without triggering congestion?

Wholesale electricity prices reflect marginal generation costs, current congestion patterns in the transmission grid, and transmission losses, which are typically small – but they do not capture how close the system is to its limits. Siting decisions based solely on price therefore miss the physical margin that determines whether new demand can be served without infrastructure upgrades.

To illustrate this, we placed the same hypothetical 500 MW datacenter at two locations in the Maryland grid and re-solved AC-OPF for each (locations were chosen arbitrarily and do not reflect Microsoft’s datacenter portfolio or expansion plans). The two sites are plausible alternatives from a market perspective, with similar population density, comparable electricity prices, and proximity to major load centers:

  • Site A (Baltimore area): a substation in the Baltimore metropolitan region, near an existing generation complex and dense transmission infrastructure
  • Site B (Washington, DC suburbs): a substation in Montgomery County, serving a similarly dense suburban area within the Washington–Baltimore corridor

Despite these similarities, the physical outcomes differ. Adding the datacenter at Site A pushes a nearby transmission line into thermal overload, while placing the same load at Site B is absorbed by the existing network without violating line limits. The two sites are less than 50 miles apart, yet one would require transmission reinforcement and the other would not.

Figure 3. Placing the datacenter near Baltimore (top) pushes one transmission line into overload (≥100%) and raises the energy price from $24.6/MWh (baseline) to $28.6/MWh (+16.1%). The same load placed near the DC suburbs (bottom) keeps all lines below 95% and raises the price to $26.4/MWh (+7.4%). The Baltimore site yields a price $2.1/MWh higher – a difference that, across the 500 MW load, amounts to roughly $9,100 per hour or ~$80 million per year.

This distinction – largely invisible in price data – emerges directly from a more direct first-principle transmission-level power flow analysis. It highlights why geographically grounded, physics-based models are necessary for demand-siting decisions in a stressed grid.

Looking ahead

This work shows that it is possible to study transmission-level grid behavior at realistic scales without access to restricted infrastructure data. By grounding models in real geography and making uncertainty explicit, open-data-derived grids can support analyses that are difficult or impossible with small benchmarks or purely synthetic networks.

While the examples here focus on the United States, the approach generalizes to other regions where comparable open data is available. More broadly, we see this capability as an enabling layer: a way to improve the study of congestion, feasibility, and system stress – whether for planning studies, scenario analysis, or data-driven methods that require realistic grid structure.

We are releasing an open dataset of grid models spanning 48 U.S. states and six multi-state interconnections, ranging from small systems with tens of buses to continental-scale networks. All models can be solved under AC-OPF, with controlled relaxations applied when necessary to account for uncertainty in open data inputs. These models are solved for both peak and off-peak demand conditions, enabling consistent analysis across a range of operating scenarios.

This post is the first in a two-part series. In the second post, we introduce GridSFM, a learning-based AC-OPF surrogate trained on these grid models. We show how it predicts a full AC operating point in milliseconds, classifies feasibility for fast screening at planning scale, and serves as a warm-start seed that accelerates downstream numerical solvers.

GitHub Hugging Face Opens in a new tab

The post Building realistic electric transmission grid dataset at scale: a pipeline from open dataset appeared first on Microsoft Research.

Categories: Microsoft
Syndicate content

eXTReMe Tracker