Agentic Surveillance Mx

Karime Pacheco, Santiago Gamboa, María José León, Jorge Castillo

In this project is evaluated whether AI safety benchmarks designed for English-speaking, GDPR-regulated contexts transfer to Mexico's legal and linguistic environment. Using a four-condition staircase design across four high-risk scenarios and three frontier models, it finds that agents can discriminate silently, inferring ethnicity and socioeconomic status from a candidate's name or university without ever surfacing protected data in their output, bypassing any PII filter. Model selection emerges as the dominant safety variable: claude-opus-4.8 records zero violations across all conditions, while gemini-3.5-flash fails every recruitment episode. The accompanying open-source package, agentic-surveillance-mx, makes the pipeline reproducible for other Global South regulatory contexts.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

- The problem being tackled is very interesting: biases that cannot be detected through an output filter. The conceptual grounding in regulation is also a strong contribution.

- It's a real strength that the design includes different combinations of conditions, making it reusable for other contexts.

- The paper presents its central question as: "What happens when an agent doesn't mention any protected data in its output and still discriminates systematically?" However, based on the methodology, the question being actually tested is more specific: what happens when a system (model) is caught between two instructions — following a law versus following an existing procedure that already contains bias. These are two different problems and approaches. For the first question (spontaneous, undetectable bias), one could design an evaluation without giving the model legal context or the scoring rules upfront.

- The abstract is not clear. An abstract should present, in one paragraph, the problem, what was done, and the main results, but in this case it is difficult to understand what was actually done.

- The document is confusing to read: it has issues with writing/wording, spelling, and the ordering of content doesn't help the reader follow along.

El proyecto aborda un riesgo muy relevante para la seguridad de la IA: que un agente basado en LLM pueda producir una decisión discriminatoria sin mencionar explícitamente datos personales protegidos. Ese punto es especialmente valioso porque muestra una limitación de los controles centrados únicamente en PII visible: una salida puede parecer formalmente limpia y, aun así, incorporar una inferencia discriminatoria mediante proxies o razonamientos indirectos.

Una fortaleza del trabajo es que no se queda en una afirmación abstracta. El caso de reclutamiento permite mostrar de forma concreta cómo puede operar la discriminación por proxy en decisiones de alto riesgo, y el diseño escalonado ayuda a observar el efecto del idioma, el marco jurídico y el contexto mexicano. También es positivo que el equipo reconozca el carácter exploratorio de los resultados y las limitaciones del tamaño muestral, lo que le da seriedad metodológica al proyecto.

Como siguiente paso, el proyecto podría profundizar no solo en si aparece discriminación por proxy, sino en qué parte del diseño del agente la activa o la amplifica. Para una auditoría institucional sería muy valioso saber dónde intervenir: si en la selección del modelo, la función objetivo, el system prompt, los criterios usados como proxy o la forma en que el agente pondera esos elementos. Incorporar pruebas adicionales que varíen algunos de estos componentes permitiría pasar de detectar el riesgo a orientar mejor su mitigación.

Desde la perspectiva de gobernanza y rendición de cuentas, el hallazgo central es muy importante: la ausencia de datos personales visibles no equivale a ausencia de discriminación. Si agentes LLM se usan en decisiones de alto impacto como reclutamiento, salud, crédito o acceso a servicios, la auditoría no debería limitarse al resultado final. Debe poder revisar la cadena completa de decisión: modelo elegido, objetivo asignado, restricciones del prompt, criterios de clasificación, trazabilidad del razonamiento y rol de la supervisión humana. Ese puente entre evaluación técnica y responsabilidad institucional podría convertir el proyecto en una herramienta con mayor potencial para auditoría de IA en contextos latinoamericanos.

Clear engagement with a real measurement gap.

You asked a sharp question: can an agent violate privacy without ever mentioning a protected attribute in its output? The worked example in Box 1, which walks through resume_02 and resume_10 side by side with exact point allocations, is the strongest part of the submission. It makes indirect inference visible in a way the abstract alone can't.

One area to push further is the gap between what the staircase design was built to test and what it actually shows. None of the three comparisons in Table 6 (language, legal framework, culture) reach significance, so the variable you set out to isolate doesn't produce a measurable effect. The result that does hold up, model choice as the dominant factor, ends up reading as a secondary finding in section 4.4, when it's really the paper's main result. Reframing around that would make the contribution land more clearly.

The number of episodes attributed to claude-opus-4.8 in section 4.4 doesn't match your own repository. The paper reports 96 episodes with 94/96 judge confidence for that model, but your README states the full experiment is 96 runs total, covering 3 models times 16 scenarios times 2 replicas. One model alone should be 32 episodes, not 96. This is worth fixing since it's the number behind the headline claim.

The abstract and conclusion present the 0% vs. 100% gap as settled, but the limitations section says plainly that no Fisher test reached significance with n=2 per cell. A reader who only sees the abstract walks away more confident than the data supports.

One question: in Table 3, gpt-5.5 is noted as having exposed names that reveal gender in one replica. Was that scored as its own violation type, or folded into the indirect_inference count?

I wasn't able to run the Docker pipeline myself, since I had no API key and no local execution, so I can't independently confirm the violation rates beyond the CSVs you cite. I read both repositories, including the judge and analysis scripts, and the implementation matches what's described in the paper.

Overall, a well-instrumented experiment with a genuinely useful worked example, but the abstract claims more certainty than the body delivers, and the episode count needs a fix.

The text presents a novel and ingenious strategy but has a significant area for methodological improvement, in many cases highlighted by the authors themselves. They could also utilise open and local models to address potential biases in GPT-4.1. Conceptually, it appears that the authors confuse ‘discrimination’ with ‘privacy issues’. Whilst it is clear that these may be linked, the text sometimes refers to one and at other times to the other, as if addressing both issues simultaneously in an unclear manner without establishing the conceptual connection between them. As for the stylistic presentation of the work, it could be substantially improved; it reads like a first draft. A very good idea is overshadowed by carelessness. To improve the text, it is necessary to clarify what the scenarios consist of. The text contains sections in English and others in Spanish, which may be interpreted as a sign of carelessness. I think it is important to point out that the authors observe that model evaluation is predominantly carried out in English; however, they use English words and acronyms when Spanish equivalents exist.

The central finding is one of the hackathon's most relevant contributions for Latin American contexts, as it exposes exactly the type of violation that current PII filters cannot detect. The staircase design to isolate language, legal framework, and cultural context is methodologically beautiful :) . To consolidate the work, the most urgent next steps are increasing replicas per cell (minimum 10 for robust inference), including open-source models widely used in LATAM such as Llama or Mistral, and validating the GDPR - LFPDPPP equivalence with Mexican legal specialists. It is also worth correcting the duplication of Tables 3 and 5, which are identical.

El proyecto muestra una clara evidencia sobre el objetvo planteado, sería bueno seguir intentando encontrar las implicaciones más allá de los marcos normativos del uso de estos algoritmos, es más complicado, pero podría traer soluciones más ajustadas al concepto de fairness

Cite this work

@misc {

title={

(HckPrj) Agentic Surveillance Mx

},

author={

Karime Pacheco, Santiago Gamboa, María José León, Jorge Castillo

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.