Investigating Activation Threshold Failures in Cross-Lingual Prompt Rejection

Erickson Leon Kovalski

This study investigates the claim that LLM safety constraints fail in lower-resource languages by analyzing Llama-3's latent space in English and Portuguese. Mechanistic analysis reveals that the model exhibits high cross-lingual robustness, correctly aligning malicious concepts directionally across both languages. While we identified that Portuguese prompts suffer from a measurable "magnitude decay" compared to English, our findings indicate this geometric variance is relatively small.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is one of the more technically grounded submissions in the hackathon. The core contribution — breaking down cross-lingual safety degradation by semantic domain rather than treating it as a uniform effect — adds genuine value beyond prior work. The finding that Economic Harm suffers severe Silhouette degradation in Portuguese while Illegal Activity remains almost structurally unchanged is immediately actionable for practitioners prioritizing where to patch multilingual safety. The KDE plot communicates this well.

Three concrete suggestions for strengthening this work:

Report sample sizes per category. The per-domain Silhouette Scores and magnitude results are the paper's central empirical claims, but the number of prompts per category is never stated. With small per-category samples these scores can be quite noisy, and this is the first thing a reviewer will ask. Adding this to any follow-up write-up is essential.

Validate the Layer 15 choice empirically. The theoretical justification for Layer 15 is well-argued, but a brief comparison across a few layers (e.g. 10, 15, 20, 25) would show whether the magnitude collapse is strongest there or whether a different layer tells a cleaner story. This is a cheap experiment that substantially strengthens the methodology.

Implement the inference-time steering intervention. The introduction proposes zero-shot latent steering to restore Portuguese magnitude as a potential fix — this is actually the most original idea in the paper — but it was cut to future work. Even a proof-of-concept on one domain (e.g. boosting Economic Harm prompts in Portuguese to match English magnitude) would make this a complete contribution rather than a diagnostic study. That experiment alone could be a strong short paper.

Overall: the mechanistic framing is right, the domain-specific breakdown is a real contribution, and the use of A100 compute with TransformerLens for proper activation extraction shows serious technical execution for a hackathon context. With the steering experiment implemented and sample sizes reported, this is well worth developing further.

This is a technically strong and relevant project that empirically probes cross‑lingual safety in Llama‑3 via mechanistic analysis of residual stream activations, introducing “Magnitude Collapse” and domain‑specific “Boundary Collapse” between English and Portuguese refusal behavior—highly pertinent for Global South contexts where low‑resource languages are common. The methodology is well crafted for a hackathon: curated dual‑use prompts across harm domains from established multilingual safety datasets, deliberate choice of Layer 15 as a semantic midpoint, explicit construction of a universal refusal direction, and use of scalar projections, KDEs, and silhouette scores to quantify geometric decay.

The authors clearly acknowledge limitations (single model family, one language pair, exploratory scope), but the work would be stronger with clearer practical mitigation pathways (e.g., a brief concrete example of latent steering at inference time), a bit more intuition for readers unfamiliar with mechanistic interpretability (short explanation of residual streams/refusal directions), and a sharper distinction between empirical findings and hypotheses.

Overall, it is a well‑executed exploratory study with high potential impact that convincingly shows safety alignment degrading in specific semantic domains across languages and could be further improved by tightening exposition for non‑specialists and sketching concrete next‑step interventions.

The core lens is a good one: decomposing the "universal refusal direction" into direction versus magnitude.

A few changes would substantially strengthen it. First, the headline "−371.6% magnitude collapse" is computed on a projection axis whose zero is arbitrary; the underlying effect is a −0.32 shift in mean projection, so reporting an absolute effect size would be far more credible.

Second, the safety claim is entirely geometric and, by your own framing, "theoretical" - a behavioral test showing the magnitude collapse actually produces a jailbreak would close the loop.

Third, the framing is low-resource fragility, but Portuguese is a high-resource language, which may itself explain the directional robustness you found; a genuinely low-resource language would better match the premise.

Cite this work

@misc {

title={

(HckPrj) Investigating Activation Threshold Failures in Cross-Lingual Prompt Rejection

},

author={

Erickson Leon Kovalski

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.