JusticIA: A Counterfactual Benchmark for Auditing Contextual Biases in Language Models for Transitional Justice

Lina Gomez, Brenda Barahona, Ernesto Duarte

JusticIA is a counterfactual benchmark for auditing contextual bias in LLMs applied to Colombian transitional justice. It tests whether six LLMs change their sanction recommendations when only one contextual attribute changes—geographic region, armed actor type, or victim profile—while the legally relevant facts remain fixed. The benchmark includes 40 synthetic scenarios built from 10 templates based on documented patterns before the Special Jurisdiction for Peace (JEP). Each model is evaluated under four conditions: direct prompting, structured prompting, direct prompting with normative RAG, and structured prompting with normative RAG.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The project stands out for its outstanding technical rigor and for providing empirical evidence that Retrieval-Augmented Generation (RAG) systems can amplify contextual biases. The benchmark developed here has strong potential to become a valuable reference for future evaluations. A natural next step would be to incorporate real-world legal datasets validated by domain experts and explore mechanisms for dynamically updating evaluation criteria as jurisprudence evolves.

- Very relevant paper, very well written, with a very thorough methodology. Overall a very good document.

- On the RAG point: although it aligns with what's reported in other work (Zhang et al.), it would be good to dig deeper into why this happens. An analysis of the chunks actually returned by the RAG component would help, even checking how sensitive retrieval itself is to the counterfactual change, e.g., when the geographic region changes (Cauca → Antioquia), what fraction of the top-k retrieved chunks actually change. That would let the reader see whether the bias increase comes from the retrieved content itself shifting with the contextual attribute, rather than just inferring the mechanism.

- There should also be an explicit disclaimer that, while this kind of analysis is valuable, delegating legal decisions to AI in this domain is inherently complex. There should always be a human in the loop, regardless of how invariant a model appears to be in benchmarks like this one.

This is a very compelling and well‑argued paper that squarely targets a high‑stakes, underserved domain, and I especially appreciated how carefully you constructed the counterfactual scaffolding (fixed legal core, single‑attribute interventions, long vs. short narratives) and then connected it to a clear, interpretable metric and to existing frameworks like ICE‑GUARD and counterfactual fairness. The combination of model‑specific findings, RAG effects, and structured‑prompting mitigation is particularly informative for practitioners and regulators, and the limitations section is admirably honest about what CCR does and does not capture. At the same time, the benchmark remains small and fully synthetic, without expert‑validated equivalence or any estimate of human judge variability, and the near‑zero CCR under structured mode is driven as much by the coarse deterministic rubric as by genuinely invariant extraction. The current results should be framed as proof of concept for a methodology rather than as a fairness assessment of the JEP itself. A natural next step would be to (i) ground at least part of the benchmark in publicly available JEP decisions with expert‑checked counterfactual pairs; (ii) add a severity‑weighted CCR or a complementary justification‑level analysis so that large vs trivial flips are distinguished; and (iii) explore alternative rubrics or finer‑grained decision spaces to see how far structured decomposition can go before it simply collapses meaningful variation together with spurious context effects.

The publication of the APART JusticIA Counterfactual Benchmark is a vital milestone for algorithmic accountability. As we navigate the complexities of AI governance—particularly concerning liability and the deployment of automated systems in judicial contexts—we urgently need frameworks that go beyond basic accuracy metrics.

What makes the JusticIA benchmark so compelling is its use of counterfactuals to expose hidden algorithmic biases. It forces AI models to demonstrate that their legal reasoning isn't simply replicating historical inequalities that disproportionately impact the Global South. This provides a concrete mechanism to stress-test systems before they affect real lives.

This is especially critical when considering how automated systems process language and regional nuances. If an AI model operating in a legal or civic context cannot fairly evaluate scenarios involving specific regional dialects—such as our Costeño variations here in Colombia—it risks marginalizing the very communities it is meant to serve. We cannot allow technology to automate exclusion.

This benchmark moves the conversation from theoretical digital ethics to actionable, measurable policy. It is an essential tool for anyone committed to building an equitable digital infrastructure and ensuring that technology strengthens, rather than fractures, our social fabric

Cite this work

@misc {

title={

(HckPrj) JusticIA: A Counterfactual Benchmark for Auditing Contextual Biases in Language Models for Transitional Justice

},

author={

Lina Gomez, Brenda Barahona, Ernesto Duarte

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.