Apr 26, 2026
Mechanistic Upstream Guardrails for Biosecurity
Navraj Singh, Anjali
Current biosecurity protocols suffer from two fundamental vulnerabilities: 1)Obsolete Checks: relying on sequence matching algorithms like BLAST which are easily bypassed by Novel AI generated sequences and 2)End-Point Only screening: By waiting to apply these checks until a physical order is placed at the commercial sink, defenders forfeit the ability to intercept these attacks at their digital generation phase.
We propose moving security guardrails upstream into the generative pipeline itself. Our approach is two-fold: 1)Mapping two attack paths: structural design via diffusion models and genomic sequence generation via DNA foundation models, 2)Showcasing the successful use of Interpretability techniques to implement the security guardrails on upstream components of the attacker’s pipeline. As a functional Proof-of-Concept we trained an L1-regularized probe on ProteinMPNN’s decoder representations, successfully classifying pathogenic geometric intent prior to sequence translation (0.86 ROC-AUC). Crucially, the learned representations track generalizable biological threats rather than family specific or physical heuristics. Our probe correctly classified distinct, structurally unseen toxins (Ricin etc).We conclude that securing generative biology requires representation-level intervention and outline an architecture to scale these guardrails via Sparse Autoencoders and residual stream monitoring.
Re the argument on end-point-only screening. It’s a fair point but also the reason for this is that it’s a key physical chokepoint. How would you actually implement upstream screening during the generation of novel sequences when models like evo2 are open source? A discussion of how these techniques could be implemented in practice is missing and would’ve been really interesting + valuable.
How good is a 0.868 ROC-AUC actually? Are there any relevant comparisons that put this into perspective in an intuitive way?
The Evidence of Cross-Family Biological Generalization is great and intriguing. I am curious to hear about hypotheses dim 103 activates for these toxins (and why for human insulin).
Overall I think this interpretability approach to genomic language models and sequence design models is really interesting and promising! Good work.
IMHO your submission is a bit too biased toward arxiv-style academic writing. That's great for a very particular researcher audience but as a judge who is more in policy-world, it's a bit hard to follow. I think you could take inspiration from the writing of research outputs at places like METR or GovAI who do a great job at writing with rigorous clarity that is still accessible to non-experts.
This project has a strong and relevant core idea. Moving guardrails upstream into generative biology pipelines is the right direction, and using representation-level signals is a smart approach. The proof-of-concept with a probe on model activations is a good starting point, and the generalization claim is particularly interesting.
However, the current work feels like an early prototype rather than a robust demonstration. You need to tighten the experimental story. Define what “pathogenic intent” means in measurable terms. Compare against existing screening approaches to justify the shift upstream. Stress-test the system against adversarial or ambiguous cases, since attackers will adapt.
This project clearly describes the problem being addressed and proposes a mitigation framework, with the video demonstration neatly showcasing the GUI. Thoughts were clearly put into curating the datasets, with deliberate attempts to address potential flaws such as models identifying any binding interface as malignant. I would like to congratulate the authors for this piece of work, well done!
That said, the benign dataset is limited to only three subclasses of targets, and the set of malign proteins used in training and testing is limited. For instance, only viral glycoproteins and toxins are considered. This limited coverage constrains the relevance of the findings.
Failures across the small number of proteins tested also indicate high false positive and false negative rates. Given that "the successful use of interpretability techniques" is the project's main conclusion, the supporting empirical evidence is relatively weak, and this should be acknowledged in the report. While this is understandable given the time constraints, the claims and proposals are stronger than the technical evidence presented.
Cite this work
@misc {
title={
(HckPrj) Mechanistic Upstream Guardrails for Biosecurity
},
author={
Navraj Singh, Anjali
},
date={
4/26/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
