Do Multilingual Vision-Language Models Abstain under Cross-Modal Conflict in Low-Resource Languages?

Anvesh Reddy Lankala, Vicky Feilren, Akansh Jain

When a VLM faces conflicting visual evidence and textual claims, like a red car captioned as blue, it must arbitrate between the modalities. While models sometimes safely abstain in English, we show this safety behavior fails in low-resource languages. We released a multilingual counterfactual benchmark covering English, Hindi, and Telugu, and evaluated 9 open VLMs using a paired perception-control design. By comparing performance with and without misleading text, we isolate perception errors from text-driven overrides to measure the override gap. We find standard metrics hide safety issues: Qwen2.5-VL-7B has an ostensibly low hallucination rate but has an 81% override share. Probing internal layers shows the conflict outcome is linearly decodable with 0.92 accuracy even in Telugu. The model knows the truth internally but fails to act on it. We leverage this by fitting a contrastive steering direction in English and transferring it cross-lingually to mitigate the cross-modal conflict at inference.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is a technically strong and highly relevant AI safety project. The paper addresses an important gap in multilingual VLM safety by studying how models behave under cross-modal conflict in low-resource languages. I particularly liked the perception-control design and “override share” metric, which separates genuine caption-driven failures from baseline visual perception issues. The work is also strengthened by evaluation across nine VLMs, three languages, and four datasets, plus a mechanistic probing and cross-lingual steering component.

To improve the work further, I would recommend expanding beyond Hindi and Telugu, adding more frontier or closed-source models if possible, and giving deeper treatment to the perception cost introduced by steering.

Great work exploring the breadth of application of LLMs for languages that typically get less attention and compute on 2B to 9B models. Would be great to also see if this interpolates to larger models as a next step

While execution was strong, it could have used some more techniques to be more comprehensive, considering potential limitations of tokenization

while presentation was logic, with graphs to illustrate, would be great to see more step by step details

Great submission and very well thought out. One thing that could make it even stronger is explaining more clearly how the multilingual examples were checked, since translation and cultural context can affect the results. It would also help to explain the tradeoff between making models more cautious and making them too cautious.

The core insight that English only safety evaluations of VLMs create a blind spot for hundreds of millions of low-resource language speakers is important and under explored. The causal story around language resource level would be significantly strengthened by controlling for concrete variables like per-language training token counts and tokenizer fertility, rather than relying on a coarse literature-based ordering of English > Hindi > Telugu. Presentation-wise, the paper would benefit from a cleaner motivating example for the override share concept early on

This is a strong and well-scoped technical AI safety submission. The project identifies an important multilingual deployment risk: VLMs may behave safely under image-text conflict in English but degrade in lower-resource languages through either text capture or excessive abstention. The perception-control design and override-share metric are especially valuable because they separate genuine caption-driven override from baseline perceptual failure, leading to a more informative model safety ranking. The accompanying codebase strengthens the submission: it includes an end-to-end benchmark pipeline for dataset construction, multilingual VLM inference, perception-control scoring, result aggregation, hidden-state probing, and activation-steering experiments. The evaluation across nine open VLMs, three languages, and several domains is impressive for a hackathon. In particular, the COCO-derived natural-scene set gives the benchmark a useful grounding in realistic image-caption conflicts, though its construction from counterfactual/minimal-edit caption pairs and heuristic MCQ generation means that further human validation would be important before treating it as a mature benchmark.

That said, the broader area of cross-modal conflict, VLM hallucination, multilingual model robustness, and inference-time steering is already well studied in the research literature, so the project’s novelty is best understood as a strong combination and extension of existing threads rather than a wholly new research direction. The probing/steering component adds a promising mechanistic angle, but the main limitations are that the MCQ abstention setup may not fully reflect open-ended deployment behavior, some per-domain/language cells appear small, the COCO-derived examples may inherit biases or artifacts from the source dataset and generation pipeline, and the steering mitigation has a real perception/over-abstention tradeoff. Overall, this is a high-quality, clearly safety-relevant project that others could build on with larger datasets, free-form generation tests, more languages, stronger dataset validation, and reproducibility checks. I encourage the authors to continue developing this work, as it has a clear path toward becoming a useful multilingual VLM safety benchmark and audit methodology.

Cite this work

@misc {

title={

(HckPrj) Do Multilingual Vision-Language Models Abstain under Cross-Modal Conflict in Low-Resource Languages?

},

author={

Anvesh Reddy Lankala, Vicky Feilren, Akansh Jain

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.