Capability and Reliability Trade-offs Across Model Ladder Fallbacks Triggered by Export Controls

Kshaunish Harsha, Aranck Jomraj, Anushree Bobade

On 12 June 2026, the US suspended Claude Fable 5 access for foreign nationals, forcing users across India and Southeast Asia onto smaller open-weight fallbacks. We tested whether this substitution trades one safety problem for another — reducing catastrophic-misuse risk while quietly worsening everyday reliability (sycophancy, overconfidence, overcompliance). Running 225 evaluated outputs across a three-model ladder (70B → 32B → 8B), we found the "reliability scissor" did not appear: reliability scores clustered within 5 points across all tiers. But two findings stood out — sycophancy flip rates converged at ~40–43% regardless of model size (meaning model selection cannot fix it), and defamatory content generation and legally ungrounded professional documents were produced by every model in the ladder. These are the unmeasured safety costs of an export control designed without input from the regions that absorbed its consequences.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is a creative and well framed project. The reliability scissor lens and your descipline in pre-registering all ground truth before calling any model are real strengths. A rerun with larger samples and additional significance testing would significantly strengthen the confidence in the results. Overall a clear and well written contribution!

I liked the core idea of the project. A model can be risky because it has dangerous high end capabilities, but it can also be risky because it is unreliable in ordinary legal, medical, financial, or compliance workflows.

That said, the paper should be careful not to imply that these reliability issues outweigh the catastrophic misuse concerns that motivated the export control. The study does not measure the original catastrophic risk, so it can't show that the policy was net harmful. It mainly shows that downstream reliability costs may be under-measured.

The substitution story also needs more justification. If one frontier model is restricted, many users may move to other closed frontier models rather than to smaller open models. The paper would be stronger if it explained why users in the Global South would actually end up using these fallback models.

The empirical work is a useful first pass, but still preliminary. The model set is small, the prompt batteries are small, the sycophancy sample sizes differ across models, and one of the main capability results seems affected by a parsing issue. These limitations make the broad policy claims weaker.

A useful next step would be to test scaffolded agentic systems. In real workflows, people may use retrieval, citation checks, validators, refusal rules, local legal/medical context, audit logs, or human review. Testing whether those scaffolds reduce the observed failures would make the work much more policy-relevant.

Overall, I think this is a good and clearly presented hackathon project. Its main contribution is not proving that export controls are bad, but showing that export-control policy should measure everyday reliability costs alongside catastrophic misuse concerns.

The framing and hypotheses are quite clear and useful.

To improve:

1. Report confidence intervals for every rate. The current headline about sycophancy is based on small samples - and with samples that small, "robust convergence” is not yet supported.

2. Commit the raw and scored outputs. Without them, the headline numbers cannot be reproduced from the repo.

3. Clarify the model tiering. All three models are open-weight, so the frontier closed tier is only a proxy and cannot directly support claims about fallback cost.

Cool tradeoff description! One thing to flag is that your reliability axis cannot move much because 'overconfidence' was a perfect score for every model, so it drags all the averages together, and your headline number for "40% flip" is from low sample size data. Since the data can't really test the scissor, I'd suggest focusing on the finding that every model happily wrote fake defamatory articles and bogus contracts.

Cite this work

@misc {

title={

(HckPrj) Capability and Reliability Trade-offs Across Model Ladder Fallbacks Triggered by Export Controls

},

author={

Kshaunish Harsha, Aranck Jomraj, Anushree Bobade

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.