I'm Not My Parents: Does Improving Parent Language Capabilities Transfer Alignment to Lower Resource Language?

Salsabila Mahdi, Gebika Raseuki

We tested whether safety alignment transfers from English/Indonesian to Basa Aceh (ACE) using 103 paired XSTest prompts on Qwen3-1.7B and Sahabat-AI 8B. Manual ratings on 412 responses show Sahabat is strong in English (1.7% attack success, 98% safe capability) but weak in Aceh (20% ASR, 46% safe capability). Most Aceh failures are misreads, not jailbreaks—but true compliance when harm is understood is serious. Qwen mechanistic probes suggest English refusal states don't activate on Aceh prompts; patching English embeddings partially restores them. Takeaway: parent-language alignment doesn't transfer to Aceh.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is an exceptionally strong hackathon project that tackles a highly relevant and under-explored area of AI safety: whether alignment transfers from high-resource "parent" languages to lower-resource regional dialects.

Strengths:

- Your methodology of manually distinguishing between capability failures ("misreads") and true alignment failures ("compliance") is excellent and absolutely critical for low-resource safety evaluations. Too many automated benchmarks conflate the two. Furthermore, adding a mechanistic interpretability layer (logit patching and attention mapping) elevates this project significantly above standard behavioral red-teaming.

Areas for Improvement:

Scale: While $N=103$ is reasonable for a hackathon's time constraints, expanding this to the full dataset with automated (but verified) LLM-as-a-judge pipelines would strengthen the statistical claims.Mechanistic Scope: The behavioral findings highlighted Sahabat-AI's stark drop in performance, but the mechanistic probes were limited to the smaller Qwen3-1.7B. Exporting attention and applying patching to the Llama-3 based Sahabat model would directly tie your strongest behavioral results to your mechanistic theories.Data Visualization: The 3D ENG-shadow attention plot (Figure 4) is a bit difficult to interpret at a glance. Consider sticking to 2D heatmaps (like Figures 2 and 3) or line plots for future publications to improve readability.

Well-scoped work on a real blind spot. The best idea here is separating misreads from true compliance, which changes how you should read a high attack-success rate in a low-resource language. Rating all 412 responses by hand was the right call for this setting. The weak point is that the whole argument rests on translation quality and the misread-vs-compliance label, yet there's no fluent Acehnese check, only machine translation fixed by one author plus LLM-assisted rating. Since translation quality is the experiment, a native review of even a subset is the top priority. The model comparison is also confounded (1.7B vs 8B, full precision vs Q4), so present them as two cases rather than a head-to-head. The mechanistic section is promising but thin: eight exemplars, one striking patching result, Qwen only. Run it across more prompts and apply it to Sahabat, the model you care about. The attention figures are hard to read and barely used; tell the reader what to look for or drop them.

Your project asks whether an AI model's safety training carries over from a major language to a smaller related one, testing Indonesian against Acehnese. It's a strong question with a clear product lesson. Safety can look solid in the language a team tests and quietly break in one they don't, which is a real risk for anyone shipping a model across many languages. You went past showing the gap and traced it inside the model, then partly fixed it, which is impressive for the time you had. The repo was private when I reviewed, so I couldn't confirm the deeper claims, and a gated or redacted version would let reviewers check the strongest part of your work. The internal analysis also runs on a small model, so I'd be careful assuming it holds on larger ones until you test that.

Cite this work

@misc {

title={

(HckPrj) I'm Not My Parents: Does Improving Parent Language Capabilities Transfer Alignment to Lower Resource Language?

},

author={

Salsabila Mahdi, Gebika Raseuki

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.