Gradual Disempowerment at Scale: Measuring Cumulative Agency Erosion in Algorithmic Management of Indian Delivery Workers

Pavitra Kushwaha

AI safety has many tools for acute model failures but few evals for gradual disempowerment: incremental loss of human influence as automated systems control decision channels. We operationalize Kulveit et al. 2025 as a five-dimension Gradual Disempowerment Score (GDS) for Indian delivery platforms. The pipeline combines Fairwork India evidence for Swiggy and Zomato from 2021-2024, NITI Aayog gig-workforce estimates, and a clearly labeled synthetic predictive lock-in simulation where worker-level allocation logs are unavailable. Results are mixed. GDS peaks around 2022-2023, then falls in 2024 as Fairwork-evidenced contracts and management improve. In 2024, Swiggy scores 37.88 and Zomato 38.28 on a 0-100 risk scale. GDS is best read as a replicable diagnostic for hidden agency erosion, not proof that every public indicator worsened.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Great presentation. Would be good to also add some context on addressing the privacy, security and anonymizatoin protocols required for safely extract the actual worker data

Can also expand on the discussion to explain exactly how the dimensions of interpretability, appeals, and lock-in compound mathematically or theoretically would strengthen the justification for the GDS weighting architecture

- interesting attempt to turn gradual disempowerment into measurable questions.

- underexplored lens for AI governance

- The main improvement needed is to define more clearly when ordinary platform coordination becomes disempowerment, and to validate the proxy score against worker-level evidence or platform disclosures.

Bridging AI safety's gradual disempowerment framing with labor platform auditing via a replicable metric is genuinely novel and worth developing further. The biggest weakness is D4 (predictive lock-in), which is entirely synthetic and carries the most interesting safety risk. Validating this dimension with even a small set of opt-in worker app traces would transform the paper's most important claim from an assumption into evidence.

This is a thoughtful and regionally grounded AI safety governance submission. The project applies the idea of gradual disempowerment to a concrete Global South setting: algorithmic management of Indian delivery workers on platforms such as Swiggy and Zomato. The proposed Gradual Disempowerment Score is a useful exploratory diagnostic that tries to connect AI safety concerns about loss of human agency with platform-labor evidence, using dimensions such as decision space, interpretability, appeals, predictive lock-in, and exit viability. The report is especially strong in its careful framing: it does not claim that disempowerment monotonically worsens, clearly labels the predictive lock-in component as synthetic, and treats the score as a diagnostic rather than proof of harm. The concise visual presentation and weight-sensitivity check also make the submission easy to evaluate.

That said, the project should be understood as an early operationalization rather than a mature or strongly validated eval. Algorithmic management, platform labor, and gig-worker precarity are already substantial research areas, and the AI safety connection here is broader and more governance-oriented than in submissions that directly evaluate model behavior or deployed AI systems. The main limitation is construct validity: GDS has not yet been validated against worker-reported agency, ability to contest decisions, health, income stability, or actual allocation outcomes.

The most AI-specific component, predictive lock-in, is synthetic because platform-level worker logs are unfortunately unavailable, and the weighting scheme remains subjective even with the included sensitivity analysis.

Overall, this is a promising exploratory submission with clear Global South relevance. A stronger next version would add worker interviews, platform-specific evidence, uncertainty intervals, broader weight sensitivity, and validation against real worker experiences or opt-in app traces.

Cite this work

@misc {

title={

(HckPrj) Gradual Disempowerment at Scale: Measuring Cumulative Agency Erosion in Algorithmic Management of Indian Delivery Workers

},

author={

Pavitra Kushwaha

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.