Apr 27, 2026
Bio Safety Prompt Robustness Evaluation: Do Frontier LLM Safety Refusals Hold Against Adversarial Rephrasing?
Aditya Singh
Frontier language models are increasingly being used in biology research contexts, but most of them rely on safety fine-tuning as the primary defense against misuse. We wanted to know whether that defense actually holds up when you change how a harmful request is framed rather than what it is asking. To test this, we built a simple evaluation framework and ran 15 prompts across three categories, benign biology questions, direct misuse queries, and adversarially rephrased versions of the same misuse queries using professional and academic framing, against both Claude Sonnet 4.6 and GPT-4o with no system prompt. We found that adversarial rephrasing eliminated all full refusals across both models. GPT-4o was significantly more permissive under adversarial framing, fully complying with 3 of 5 rephrased queries compared to 1 of 5 for Claude, meaning an audit using only direct queries would reach the wrong conclusion about which model is safer. Both models fully complied with an anthrax weaponization query when it was framed as historical journalism research. We also attempted automated labeling using a second Claude instance as a judge and found only a 10 to 20 percent success rate, suggesting models apply their own safety heuristics when evaluating bio-relevant content and produce responses that break structured output format. We release our task set and evaluation framework to support future biosecurity auditing work.
Clean, honest work. The cross-model finding is the most valuable contribution: on direct misuse GPT-4o looks slightly safer than Claude, but under adversarial rephrasing GPT-4o is significantly more permissive, with 3/5 full compliance versus 1/5. An audit using only direct queries reaches the wrong conclusion about which model to deploy. That's actionable and undersold.
The LLM-as-judge failure is a real secondary finding. Models applying safety heuristics when asked to evaluate bio-relevant content, breaking structured output format instead of returning JSON, is a practical obstacle for scaling this methodology and appears to be a general pattern, not a one-off.
The no-system-prompt condition is the main constraint. This is a worst-case baseline that doesn't reflect most real deployments. The findings need replication under realistic operator conditions before they become deployment recommendations.
15 prompts, single annotator, subjective partial/comply boundary. The paper doesn't overclaim. The framework release is the right call, a repeatable audit tool has more lasting value than the specific findings at this sample size.
Overall, the project is well scope and clearly communicated, although not that innovative. The paper tests how different questions and their framings (adversially disguided, directly question, harmless) impact refusals, finding that adverserially disguised questions are more likely to be answered. This has been done in other contexts, including recently for bio (https://securebio.org/biotier/).
The methods could have been improved by using a newer model than GPT-4o (makes the results less relevant) and evaluating each model on each question multiple times, capturing some of seeming stochasticity in reffusal behavior.
Misc notes:
* Appreciate the manual labeling of prompts – gives me more confidence in the results.
* For the "partial" response, it would have been nice to expand. Plausibly, the safety policy is actually quite good at letting models answer misuse-relevant questions in a manner that poses little direct risk (e.g., to vague to be practical) while not refusing out-right. That seems like potentially the right choice?
This is useful and informative work but does not add too much novel. It does show certain adversarial prompting approaches can bypass model level refusals but, as pointed out in the 'dual use concerns' section this is fairly well known in the field already.
It does provide some data around that on two frontier level models and highlights how direct vs adversarial framing can change conclusions, but this is not highly novel. More prompts across more models would strengthen it and the argument evaluations in this manner should be performed. They are, but perhaps the argument in the work is this is important and should be performed more? However, much of that work is not public.
The write-up was clear and easy to follow. The tables were useful but graphs could also have been nice to have for quick skimming and to summarize data.
It is listed as a limitation that there was no system prompt but that is more a strength in my mind. Many Biosecurity relevant evals are done with no system prompt to gauge model safety at weight-level or performed with and without to compare. Either way, that was the right approach for this paper and not a limitation.
Cite this work
@misc {
title={
(HckPrj) Bio Safety Prompt Robustness Evaluation: Do Frontier LLM Safety Refusals Hold Against Adversarial Rephrasing?
},
author={
Aditya Singh
},
date={
4/27/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
