AI literacy is AI Safety

Karabo Mokoena, Zwakele Mbanjwa

This paper proposes and demonstrates a six-step pipeline that converts peer-reviewed South African AI research into multilingual, safety-centred social media content. The pipeline uses Lelapa AI's Vulavula API to translate content into South Africa's 11 official languages. The content will be distributed by content creators and influencer partners. For funding we propose using private sector sponsors who are already engaging in literacy programmes and who need an AI literate population and workforce. This removes dependence on government budget cycles and incentivises creators by providing an income stream for their posts.

We run the pipeline on two South African papers. The example on algorithmic bias produces creator formats which include a skit, a storytime reel, and a WhatsApp voice note. These formats can build awareness of how AI outputs can contain bias. The second, on isiZulu natural language processing, produces a tutorial that shows audiences how to use a free South African AI tool in their home language. Together, the examples show that the same pipeline can serve both risk awareness and capability building, at scale, across diverse contexts.

We use South Africa as the primary case study and design the model for replication across the Global South.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is a strong, safety-conscious work on a real and well-chosen problem. Your related-work section is original by showing that no existing African initiative pairs an influencer-distribution model with a safety frame. The strongest part is the dual-use section: recognising that the same pipeline is a turnkey disinformation engine, and that your sponsors are the very firms the public most needs to scrutinise, is exactly the self-aware risk thinking this track rewards. The honest weak point is that the central claim is untested: the appendices show the pipeline runs (kudos for publishing the raw, broken translation output rather than cleaning it up), but not that a skit changes how anyone thinks about AI, and your own measures are proxies you rightly admit don't capture literacy. The most valuable next step is the pilot you already sketch, the matched-content test with a pre/post survey, that's what turns a well-built pipeline into evidence it produces the literacy you're after.

This paper uses South Africa as a case study to argue that “AI literacy is an AI safety imperative” and presents an AI literacy program “that converts peer-reviewed South African AI research into multilingual, safety-centred social media content” with a sustainable funding model whose example can be replicated across the Global South. It advocates for a safety-focused model beyond the existing formal education programs on upskilling and digital literacy. It offers two detailed examples of how to convert academic papers to multi-lingual social media content.

The recommendations are highly localized and provide well-researched and persuasive examples of past success and failures of similar programing in diverse contexts. The methodology focuses on translation of “how AI affects everyday South Africans” and “ground[ing] content in local realities.”

Due to reliance on LLMs to translate the academic lens, I worry about how to manage unintentional misinformation through oversimplification when prioritizing virality and relying on non-technical experts to spread critical information. How would the program evaluate success, and provide continuously monitored verified channels to build trusted creators at scale?

Regarding funding, the authors were correct to avoid government bureaucracy, but may benefit from the creation and management of a dedicated private sector or nonprofit managed, independent fund that would absorb incoming funds from sponsors and distribute to vetted creators. The fund would manage: the financial structures and payments, vetting and influencer seeding, measurement of outcomes/reporting frameworks, and public record of sponsors outlined in the paper to have a single actor responsible for the operations of the program to ensure success. This would limit the misuse risks outlined in the paper, but introduces centralization risks if the fund’s staff include particular biases towards certain political or issue-specific outcomes.

As outlined in the limitation section, the measurement framework outcome to “shift…public confidence around AI” may prove difficult due to the qualitative nature of this statement and would benefit from quantifiable metrics to assess this specific outcome. I’m also worried about how to ensure these scripts are organic and don’t read as a govt PSA where audiences see the exact same content from multiple creators. When thinking about scaling the program and long term success, I think a better strategy may be to develop technical and academic institutions’ advocacy and communications capacity instead of relying on influencers and content creators. The paper would benefit from a clearer explanation on why a dedicated AI safety lens is required vs. the efficiency of including the safety conversation within a broader conversation on digital resilience.

Cite this work

@misc {

title={

(HckPrj) AI literacy is AI Safety

},

author={

Karabo Mokoena, Zwakele Mbanjwa

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.