Confidently Wrong: Measuring and Mitigating Calibration Risks in LLMs for African Languages

Similoluwa Okunowo, Eliud Koto, Dagmawi Misker

Large language models are increasingly used in African languages, but little is known about whether their confidence remains trustworthy. We evaluate four open-weight LLMs across African-language truthfulness and knowledge benchmarks and find a consistent safety risk: models become less accurate while remaining highly confident, leading to systematic overconfidence and substantially worse calibration than in English. This increases the likelihood that users will trust incorrect information in high-stakes settings such as health, education, and civic information. We show that simple per-language temperature scaling dramatically reduces calibration error without retraining, restoring confidence estimates to near-English levels. Our results highlight calibration as an overlooked African AI safety challenge and demonstrate a practical deployment-time intervention for reducing confidently wrong model outputs.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The authors articulate what could potentially be a significant safety risk on the continent (confident but incorrect answers in African languages). That such a calibration across models has not been attempted is novel and this went some way in the review scoring below. For Criteria 2, though technically solid, the authors could benefit from explaining in less technical language for better understanding by a wider non-technical audience.

The central insight is important, the execution is technically rigorous, and the temperature scaling result is immediately actionable for practitioners deploying LLMs in African-language contexts. The most valuable next step would be empirically validating the deployment framework rather than leaving it as a proposed architecture

## Strengths

This is a strong paper that identifies a specific failure mode with broad implications. The work shows that models become systematically overconfident as they move from English to African languages, so they are less accurate yet more confident at the same time. That is the worst combination for trust, and it applies to any high-stakes African-language deployment rather than a single use case, which gives the finding a high impact ceiling.

The work also goes beyond diagnosis. The team proposes three interventions and tests their efficacy rather than just suggesting them.

Execution is solid and well-evidenced. The scoring choice is well-justified, and the central finding is backed by bootstrap confidence intervals, a held-out calibration split, and multiple metrics. The presentation is excellent.

## Weaknesses

The main limitation is interpretive. On AfriMMLU the African-language accuracy sits near the chance floor (about 0.29 against 0.25), so some of the measured overconfidence reflects a model with almost no signal rather than a model that is confidently wrong about things it could know. The two stories have different implications and the paper does not fully separate them. The best-performing fix also carries a deployment tension. Per-language temperature scaling needs labelled in-language calibration data, which is exactly the scarce resource in these languages.

## Recommendations for the authors

A few targeted additions would round this out into a full paper. First, **move the evaluation closer to frontier models to see if the finding holds**. The near-chance accuracy is on small open-weight models, so a stronger model would likely clear the chance floor and provide the signal needed to cleanly separate "confidently wrong" from "essentially guessing", while also testing whether the overconfidence generalises beyond open-weight models. If frontier models remain near chance on these languages, that is itself a striking result worth reporting. Second, **quantify how little calibration data the temperature-scaling fix needs** with a simple sensitivity curve over split size, which would directly support the "deployable now" argument and address the labelled-data tension.

The project is well-executed and addresses an important problem. However, there are two notable limitations:

- The evaluation is restricted to four open-weight models on two benchmarks (Uhura-TruthfulQA and AfriMMLU), with frontier closed models and reasoning models explicitly out of scope. Because calibration behavior may differ substantially across model families and scales, the generality of the "confidently wrong" finding — and the transferability of the temperature-scaling remedy — cannot be confirmed for the systems most likely to be deployed in high-stakes African-language contexts.

- Accuracy on these benchmarks sits near chance for most African languages, which the authors acknowledge bounds what can be claimed. This creates an interpretive difficulty: when a model scores ~29% on a four-option knowledge task, the reliability of the "confidence" signal being calibrated is itself in question. The paper documents systematic overconfidence, but the practical severity of the harm — confident wrong answers on questions users actually ask in deployment — is not directly measured, and the low ceiling of the benchmarks limits how much the ECE numbers can tell us about real-world risk magnitude.

Cite this work

@misc {

title={

(HckPrj) Confidently Wrong: Measuring and Mitigating Calibration Risks in LLMs for African Languages

},

author={

Similoluwa Okunowo, Eliud Koto, Dagmawi Misker

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.