AI Colonialism 2.0: Is India Training the Models That Will Govern It?

Punith N

India supplies the world's largest AI annotation workforce (450K+ workers) and training data from 850M internet users, yet produces zero frontier AI models and has no operational safety evaluation institute. This paper introduces the AI Governance Dependency Framework (AGDF) — a first-of-its-kind tool that scores a nation's AI dependency across 5 pillars (Compute, Model, Evaluation, Governance, Data). India scores 17/25 (high dependency)vs. US (1/25), China (6/25), EU (7/25).

A safety benchmark of 4 frontier models (ChatGPT, Claude, DeepSeek, Gemini) on 25 India-specific prompts reveals a 54% cultural competence gap between the best and worst performers on caste, religion, elections, and linguistic diversity, a disparity no Indian institution monitors. The paper connects these findings through a case study of Anthropic's Claude Mythos, where India was initially denied access to a cybersecurity AI model despite critical infrastructure needs, illustrating how dependency produces real-world consequences. Five policy recommendations are proposed, with establishing an operational AI Safety Institute identified as the highest-impact intervention.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The AGDF is clearly written and the dependency-versus-readiness framing is a reasonable lens, but four issues hold the contribution back.

First, the central concept is not problematized. Dependency is treated as a single property each country has or lacks, yet interdependence across the AI stack is mutual: every node, the US included, depends on others (Taiwanese fabrication, Dutch lithography, Gulf energy and capital, Global South annotation labor). The US score of 1/25 an artifact of choosing pillars where the US sits upstream; scoring the same countries on fab inputs, energy availability, or labor supply would reorder the table. What turns dependency into the "strategic vulnerability" the paper invokes is not reliance itself but its asymmetry, non-substitutability, and weaponizability, the chokepoint dynamics of weaponized interdependence (Farrell and Newman).

Tellingly, the paper's strongest example, the Mythos access decision, is compelling precisely because it is a chokepoint (one controller, no substitute, access as leverage), but the framework has no vocabulary for that, which is why it reads what public reporting describes as a staged rollout, later expanded to include India, as structural exclusion. Reframing the dependent variable around asymmetric, weaponizable dependence, scoring substitutability, supplier concentration, and coercive capacity per pillar, would both fix the US anomaly and target the dimension that actually matters.

Second, the novelty is overstated. The five pillars largely relabel indicators already tracked by the Stanford HAI Index, the Oxford Readiness Index, and others, with the sign flipped so high denotes dependency. Once frontier-model ownership is made load-bearing, India's "high dependency" result restates a known fact rather than discovering one, and the comparative scores (US 1, China 6, EU 7, India 17) mostly recover the obvious frontier-and-investment ordering.

Third, the scoring is less transparent than claimed. Two of the five pillars, including Evaluation, which drives the headline, are manually adjusted away from what the published sub-score rubric produces (the appendix sums Evaluation to 5 then "adjusts" to 4, and Governance to 4 then to 3), with only a one-line rationale. A replicable instrument cannot reserve discretionary overrides for its most consequential pillars. A stronger design would set an explicit rule for which existing national initiatives count, justify it, and score each country mechanically from there.

Fourth, the safety benchmark reads as a separate study rather than evidence for the framework. Model-to-model variation in India-specific cultural competence does not measure India's dependency; the asserted bridge ("no institute measures this, therefore it evidences dependency") does not follow, since the model gap exists regardless of India's score. The benchmark also rests on a single annotator scoring 25 prompts with no inter-rater reliability, and returns a clean sweep for one commercial model across every category and sub-dimension, which on subjective 0–10 judgments warrants caution before being elevated to population-level policy claims. Reporting multiple independent annotators and IRR (already noted in the author's limitations) would help substantially, and the framework and benchmark would each be stronger decoupled and individually validated.

This is ambitious and well argued work! Turning the "AI colonialism" theory into a concrete, reproducible scoring instrument fills a real gap, and the steelmanning of counterarguments in 7.2 is a genuinely strong touch. Adding a second annotator with inter-rater reliability (either tightening to the AGDF or the benchmark rather than both) would significantly strenghten this project. Overall creative and well written!

Cite this work

@misc {

title={

(HckPrj) AI Colonialism 2.0: Is India Training the Models That Will Govern It?

},

author={

Punith N

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.