LeakMap AI: Evidence-Backed Jurisdictional Exposure Map for AI Prompts

Anish, Disha, Dashrath

LeakMap AI is an AI governance and data-sovereignty audit platform that analyzes prompts before they are sent to AI providers. It detects sensitive data, visualizes verified/disclosed/inferred jurisdictional exposure, links every claim to evidence sources, recommends redaction, and offers a local sovereign mode for safer handling of sensitive prompts.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The thing I like most about LeakMap is that it refuses to overclaim. Almost everything in this space pretends it can see inside the provider, and you don't — you say so up front and then build the whole model around that honesty. Splitting things into verified endpoint, disclosed documentation, inferred risk, and unknown internal path is the right call, and I like that you backed it with actual rules rather than just a disclaimer — capping confidence at 30% when evidence is missing, and always showing "unknown" for black-box providers, is the part that makes it credible. The redact-then-rescore loop and the local Ollama route are both genuinely useful and fit the sovereignty angle well.

Where it falls short for me is that this is still a tool and a demo, not a result I can check. The risk weights look hand-picked — health +25, gov ID +30, external provider +15, and so on — and there's no calibration behind them, so the "94/100, Critical" in your demo reads as illustrative rather than something a second person would arrive at independently. Same with the jurisdictional exposure: you're leaning on subprocessor lists and DPAs, which (as you rightly admit) show possible exposure, not actual. I'd have found it far more convincing if you'd walked one real example all the way through — take an actual provider's disclosed docs, show how that becomes a specific jurisdiction inference, and show one full evidence packet with the source IDs, the rules that fired, and how the confidence number was derived. Two things would lift this a lot: test the risk weights against even a small labelled set of prompts, and make one evidence packet fully auditable end to end. The DPDP templates and enterprise policy mode you mention at the end are where this turns into real governance value.

LeakMap AI tackles a really relevant issue right now—most people have almost no idea what happens to their prompts once they hit an AI provider, especially with all the different jurisdictions and cloud setups involved. I like how it tries to separate solid evidence from just inferred risks and even admits when the internal routing is unknown. The whole package—prompt sensitivity checks, evidence-backed visualizations, redaction suggestions, and local inference options—feels genuinely useful for teams worried about privacy and governance.

That said, the submission still comes across more like a polished product pitch than a working system. All those features (the globe visualization, evidence packets, AI Data Passport, confidence engine, rule system) are described in depth, but there's not much proof they've actually been built or tested beyond the conceptual stage. The demo shows what it's supposed to do, not what it reliably does in real conditions, so it's hard to judge how solid it is in practice.

A few bigger questions stood out for me too. How exactly are those risk scores and confidence levels calculated, and have they been checked against real experts or established privacy frameworks? Why these specific rules, and how much do the recommendations swing if you tweak the weights? Without some actual testing or validation, it's tough to know if the scores mean something or if they're mostly just heuristics.

The evidence-focused approach is probably the strongest part, but it would land better if they could show it genuinely helps people make smarter decisions compared to plain privacy notices, provider docs, or standard checklists. Some user studies or feedback from practitioners showing clearer understanding or safer prompt habits would go a long way.

It might be worth trying the tool with real teams or users in their actual workflows—see if it actually shifts how people write prompts, pushes them toward local models for sensitive stuff, or leads to better compliance choices. That kind of real-world evidence would make the case much stronger than feature lists alone.

Overall, it's a smart, thoughtful take on AI privacy challenges that doesn't overclaim. It just needs that next layer of actual implementation, testing, and proof that the system delivers better governance outcomes in practice.

The release of the LeakMap AI Project Report is a crucial development for the future of digital rights and algorithmic liability. As we rapidly integrate artificial intelligence into public and private infrastructure, the risks of data leakage and privacy breaches are compounding.

From a governance perspective, tools and frameworks like LeakMap are exactly what we need right now. We cannot meaningfully discuss ethical AI without addressing how these complex models handle—and potentially expose—sensitive information. For communities in the Global South, where data protection regulations are often still maturing, the vulnerability to systemic data leaks is a pressing digital rights issue.

This report shifts the conversation from reactive damage control to proactive technical accountability. By mapping out where and how vulnerabilities occur in AI pipelines, LeakMap gives policymakers, researchers, and technologists the concrete evidence required to design robust liability frameworks. It is a vital step toward ensuring our internet ecosystems remain secure and that technological advancement does not come at the cost of fundamental privacy.

Cite this work

@misc {

title={

(HckPrj) LeakMap AI: Evidence-Backed Jurisdictional Exposure Map for AI Prompts

},

author={

Anish, Disha, Dashrath

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.