How should the global south think and act about compute policy?

Adre Novais Xavier Rodrigues, Bruno De Biase Deo

We test whether the compute targets in Brazil's national AI plan (PBIA) are actually buyable with the budget the plan committed, and whether that spending is effective. We built an agent-based model with a 2,000-scenario Monte Carlo layer that turns each country's AI budget into installable frontier compute (FP64 PFLOPs, the TOP500 metric), gated by chip access, energy, and an endogenous chip price set by global demand. Brazil is the subject; the Gulf states, India, Egypt and Nigeria enter as competitors for the same scarce chips.

The plan's two compute targets, funded from one budget, diverge sharply: doubling national compute by 2027 is feasible in 100% of scenarios, while placing Santos Dumont in the TOP500 top five by 2029 is feasible in 0% (about 4% of the bar). The showcase target fails on framing and scale, not chips or energy: those add nothing, and even a tenfold budget reaches only ~7%. The verdict holds across every parameter extreme. Our takeaway for compute policy in the Global South: national compute goals should be written as absolute, budget-anchored targets sized to a country's own needs (running services, research, and evaluating deployed AI), not as positions in a moving global ranking that recedes at the frontier's growth rate.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The research question is interesting and a strong result could have actionable policy implications. Sadly, the methodology chosen was not the best fit to answer their research question.

Monte-carlo simulations are best suited for cases where randomness affects the outcome. In this case, it does not. Their main results are outcomes that happen 0% and 100% of the time, no randomness involved given their input parameters. And instead of explaining what are the key parameters the conclusion depends on and how they can be used to mechanistically deduce the final conclusions, the authors get lost on the details of the model instead of trying to explain in a couple sentences what's going on. I suspect the answer might be something like "if there's a few countries with bigger budgets than you that also want to have the largest supercomputer, it's really hard to beat them". Precise modelling is still really valuable, but only when it clarifies the final explanation of the mechanism, instead of hiding it.

Still, the writing was clear and direct, which made it easy and fun to read.

This is a rigorous and unusually well-presented modeling exercise: the provenance labeling, single-file reproducibility, robustness checks, and the disclosure that a validation fix strengthened rather than weakened the result are all exemplary. The central finding, that absolute, budget-anchored targets are reachable on a fixed budget while ranking targets move away at the frontier's growth rate, is correct and policy-relevant.

Three things would sharpen it. First, the actors that constitute the TOP500 frontier are the same actors Brazil competes with for chips, yet they enter only as an exogenous bar rising at a fixed 2.2×/yr. This makes the showcase verdict partly definitional: the model assumes the frontier runs away and then concludes Brazil cannot catch it.

Modeling at least the hyperscaler/frontier dynamics endogenously would test whether the result is discovered or assumed.

Second, the generalization to "the Global South" overreaches against the paper's own evidence: the Gulf plans clear feasibility thresholds within the plausible growth range, so the operative variable is budget-scale-relative-to-target-framing, not geography. Reframing the lesson around target design (absolute-and-needs-sized vs ranking-pinned) would be both more defensible and more useful, since not every relative target is infeasible for every endowment.

Third, the constructive half of the argument is asserted but not modeled. The doubling target is met 17× over in 100% of scenarios, so it functions as a trivial floor rather than a meaningful test, and the genuinely interesting question the paper raises (what absolute target sized to Brazil's actual evaluation, audit, and public-service needs would cost) is never quantified. The paper diagnoses the bad target with precision and leaves the good target as a principle; modeling even a rough needs-based figure would complete the contribution.

Cite this work

@misc {

title={

(HckPrj) How should the global south think and act about compute policy?

},

author={

Adre Novais Xavier Rodrigues, Bruno De Biase Deo

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.