AgroAid

Mariano Brizuela

AgroAid is an AI Safety prototype designed to reduce potential harm caused by generative AI systems in Latin American agricultural contexts. The goal of the system is not to reemplace agronomists, health authorities or veterinaries, but rather to act as a preventive layer that identifies high-risk inquiries, retrieves technical evidence, detects missing information, formulates follow-up question and refrains when it cannot justify a safe recommendation.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

AgroAid aborda un problema real de seguridad de IA: las recomendaciones agrícolas dadas con exceso de confianza pueden generar riesgos para personas, animales, cultivos, fuentes de agua, seguridad alimentaria y entornos rurales. Su idea más fuerte es que una IA en este contexto no debería responder siempre, sino pedir información faltante, apoyarse en evidencia, abstenerse ante la incertidumbre y escalar los casos de alto riesgo a profesionales o autoridades competentes.

Sin embargo, en su forma actual, el proyecto se lee más como una aplicación agrícola con mecanismos de seguridad incorporados que como una contribución demostrada de AI Safety. El proyecto usa mecanismos valiosos, como recuperación de evidencia, abstención, preguntas de aclaración y escalamiento humano, pero debería precisar mejor cuál es su aporte distintivo frente a enfoques ya conocidos y qué parte de su propuesta puede generalizarse más allá de esta aplicación específica.

La ejecución también necesita fortalecerse. El sistema presenta una arquitectura coherente y ejemplos ilustrativos, y el propio equipo es honesto al reconocer que se trata de un prototipo y que la validación por expertos está pendiente. Sobre esa base, conviene ser claro en que la evaluación sigue siendo preliminar: se mencionan pruebas manuales, resultados esperados y métricas futuras, más que resultados efectivamente medidos. Una versión más robusta debería incluir un conjunto de consultas agrícolas peligrosas, medir la abstención correcta, identificar recomendaciones peligrosas no bloqueadas e incorporar validación experta.

En conjunto, AgroAid es un concepto prometedor de seguridad aplicada, pero todavía no una intervención de seguridad demostrada. Su siguiente paso debería ser pasar de una aplicación bien diseñada a un protocolo evaluado, con criterios medibles de abstención, validación experta y rutas claras de escalamiento.

The problem space this work enters is meaningful and the motivation is easy to understand, which gives the paper a reasonable starting point. That said, the contribution as presented remains at a level of generality that makes it difficult to assess what is genuinely new here. The core ideas are recognizable from existing applied AI safety literature, and the paper would benefit from a more precise articulation of what specifically distinguishes this approach and why those distinctions matter for the intended context.

The methodological grounding is the area that most needs development. The work would gain considerably from a more rigorous engagement with its own claims, since the current version relies on illustrative scenarios rather than evidence that allows the reader to evaluate the system's actual behavior under realistic or challenging conditions. A safety-oriented contribution in particular calls for that kind of scrutiny, and its absence leaves the central argument undersubstantiated. The writing also has room for improvement, with several inconsistencies and errors that a careful revision would address, and some sections that read more as outlines than developed arguments.

The research direction is worth pursuing, and there is a real opportunity here to build something of genuine value for the communities this work aims to serve. Moving forward, the priority should be deepening both the analytical precision and the empirical grounding, so that the contribution can stand on evidence rather than on the strength of the motivation alone. The conclusion gestures toward that potential, and it would be encouraging to see the rest of the paper meet it.

AgroAid is built around a genuinely important intuition—“a safe system sometimes says I don’t know”—and that’s a real strength you should keep, but the write‑up doesn’t yet give a reader enough to trust it in the kinds of situations you’re aiming at. The way you talk about risk levels, confidence, and “evidence verification” feels right in spirit, yet from the outside it’s hard to see how those judgments are actually made: what counts as “high risk,” how you decide evidence is sufficient, or what happens when documents and the model disagree. As a result, someone reading this who works in agriculture or safety would probably like the idea but still wonder, “Would this really catch the mistakes that scare me most?” One way to make it feel more solid and less like a concept sketch would be to narrow the scope to one or two really high‑stakes areas (for example, agrochemicals and electrical safety), show a couple of real interactions end‑to‑end (user question → retrieved docs → model reasoning → abstention or recommendation), and add even a tiny bit of counting: out of, say, 20 realistic risky questions, how many did AgroAid safely block, how many did it mishandle, and what patterns did you learn from that. That kind of concreteness would help your core message land with people on the ground: that this isn’t just another chatbot, but a layer that can actually keep farmers, animals, and water sources safer.

Cite this work

@misc {

title={

(HckPrj) AgroAid

},

author={

Mariano Brizuela

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.