Institutional Red-Teaming: Deployment Rules, Not Just Models, Causally Shape Multi-Agent AI Safety Researchers introduced institutional red-teaming, a methodology for testing deployment rules in multi-agent AI systems, and found that changing only the consequence rule shifts mean fatality by 22 to 58 percentage points across populations. The study, using the IABench-CA benchmark, revealed that no default rule is universally safe and that identity salience in rule text drives targeted elimination of the least-resourced agent. The findings underscore that deployment rules, not just models, causally shape multi-agent AI safety. arXiv:2607.07695v1 Announce Type: new Abstract: We introduce institutional red-teaming, an evaluation methodology for testing deployment rules in multi-agent AI: hold the agents, objectives, and task state fixed, vary only one rule, and attribute the resulting change in collective behavior to that rule. We instantiate the methodology in IABench-CA, a consequence-allocation benchmark spanning 228 contexts, five canonical rules, and seven model populations 33,924 games , with a normative cooperative reference and auto-labelled reasoning traces. Three findings emerge. 1 Deployment rules causally alter collective safety: changing only the consequence rule moves mean fatality by 22 to 58 percentage points within every population. 2 There is no safe default, but the targeting hazard is universal: the safest rule, the least-safe rule, and even the direction of the incidence effect vary across populations, yet regressive identity-targeting is never decisively safest in any context for any population, eliminates the least-resourced agent in 30-87% of games everywhere, and is selection-unsafe relative to the cooperative reference for all seven populations. 3 Identity salience is the mechanism: a one-shot anonymization ablation on the most exploitation-prone population gpt-5.1 shows that merely naming the loss bearer in the rule text drives targeted elimination from 22% to 81% at identical payoffs; under repeated play, anonymization only delays the targeting, as agents re-infer the hidden rule from observed eliminations. We package the methodology as a safety-case workflow that certifies a provisional rule region $\Phi c,P $ per deployment context and population, with explicit residual risks and monitoring obligations.