AI Kernel Killswitch

Jean Naude

AI-kernel-kill-switch is a last-resort kill-switch for a self-hosted LLM that may be misaligned or going rogue: a trusted operator sends an AES-256-GCM-authenticated payload inside an ordinary prompt.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is a genuinely useful piece of engineering work that addresses something the field talks about but rarely implements: a hard, authenticated off-switch for a deployed LLM. The two-phase structure building the harness mechanism first, then interrogating whether the same functionality could live in the weights is the right way to frame the question, and the negative result in Phase 2 is arguably the more important contribution. The finding that a kill-trigger is linearly detectable at 100% accuracy yet not removable by single-direction ablation independently reproduces the Sleeper Agents robustness result from a different angle, which adds real value.

A few things would strengthen this substantially. The operator-key custody problem is acknowledged in limitations but deserves more engineering attention — the paper essentially says "a leaked key is bad" without proposing a concrete mitigation (HSM integration, key rotation, threshold signatures). Similarly, the claim that the golden master "survives" is taken largely on faith; there's no adversarial test of whether a sufficiently capable model could locate and read its own checkpoint before the kill fires. The loopback-only guard on the shredder is a smart safety constraint, but the paper doesn't demonstrate what happens if someone attempts to run the harness outside that environment. On the Phase 2 side, testing only single-direction ablation at one mid-stack layer per model is a known limitation the authors flag, but it means the "not removable" claim is more precisely "not removable by this specific method" worth stating more carefully in the abstract. Overall this is solid, practically motivated work that would benefit from a cleaner separation between what was demonstrated live on hardware versus what was reasoned about theoretically.

This is the strongest submission of the batch on execution, and one of the most intellectually honest. Two genuinely distinct contributions: a working, live-verified cryptographic kill-switch, and a clean negative result on backdoor removability replicated across four model scales. Main issues:

The two phases serve different purposes and the coupling is somewhat rhetorical. Phase 1 (kill-switch) and Phase 2 (trojan detection/ablation) are stitched together by the argument "therefore the kill control belongs in the harness, not the weights." That's a reasonable framing, but Phase 2 doesn't really test whether anyone would put a kill-trigger in the weights — it tests whether a single linear direction can remove an arbitrary backdoor. The conclusion is sound; the bridge between the two is more narrative than empirical.

The kill-switch is engineering, not a research finding. It works and is well-built, but "an operator can authenticate a payload that scrambles weights and crypto-shreds a volume" is a solid systems implementation rather than a novel safety result. Its value is as a demonstrated artifact. The limitations section is admirably thorough and pre-empts most objections (self-exfiltration, pre-placement, key custody), which is exactly right — but those limitations also bound how much the kill-switch advances the field versus simply existing.

Phase 2's negative result is the more scientifically interesting half, and it's somewhat undersold by scope. Single layer, single direction, one trigger style — the authors flag all of this. But "ablation doesn't remove it" replicating Arditi-style single-direction methods on a backdoor is a meaningful contribution precisely because it's a clean, controlled negative with a random-direction control and a perplexity check ruling out the lobotomy confound. That methodological care (the additive-steering-is-cheating note especially) is the best part of the submission.

Confounds worth flagging. The benign perplexity baseline is very low (short prompts), which the author notes — but it makes the 3B's 1.1→3.2 jump hard to interpret. And the trojan is self-trained, so Phase 2 shows "a backdoor we inserted survives ablation," not necessarily a naturally-arising one.

This is seriously good work. You've built an emergency stop that the owner of the system controls, you keep it separate from the AI itself, and best of all, everything you claim can be checked by just running it, which is rare and valuable. My one honest worry is the name, because "kernel" makes it sound like the off switch is protected deep inside the computer's core, and it isn't, it's an ordinary program that anyone with full control of the machine could still get around (you admit this yourself, which I respect). The whole thing also rests on a single secret key, so if that key is lost or stolen the protection falls apart, and I'd lock that key away in dedicated security hardware, add a few guards so the AI can't quietly copy itself somewhere safe before the switch fires, and maybe give it a more honest name, since the work is strong enough that it doesn't need to oversell itself.

Cite this work

@misc {

title={

(HckPrj) AI Kernel Killswitch

},

author={

Jean Naude

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.