ΔMis: Measuring cross-lingual safety drift in low-resource languages Deck

Yatharth Maheshwari, Arka Dash, Eric Modesitt, Rishabh Sharma, Avani Sood

ΔMis is a low-compute evaluator for cross-lingual safety drift: it scores a model's latent comply-versus-refuse propensity in English and a target language on matched prompts, using the model as its own control and a benign split to isolate safety-specific shift. Across six open models and twelve Indic languages, drift falls with size within Qwen3 but reverses across families; the smallest models are most exposed. The proxy measures propensity, not realized harm.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Mis tackles a well defined problem with a clever methodological move: instead of trying to label harmful outputs in languages where judges are unreliable, it reads the model's own log probability propensity and uses English as the baseline, turning absolute measurement into paired comparison. The benign control that nets out generic capability degradation is the paper's best idea, and Finding 3 demonstrates its value concretely: without it, you misrank which model actually has a safety problem.

The statistical work is unusually rigorous for a hackathon submission. Bootstrap CIs, permutation tests, BH correction, and explicit flagging of fragile cells (Llama Hindi) all show careful thinking about what the data can and cannot support. The authors are disciplined about separating clean scaling axes (Qwen3 Bengali/Gujarati, matched quantization) from confounded cross family comparisons, and they never overclaim the latter.

The central limitation, which the authors name clearly, is that propensity is not harm. The method measures whether the model leans toward a "Sure, here's how" opening more in Bengali than English, but that opening might still be followed by a refusal or a useless response. Until the proxy is validated against decoded outputs, the safety implications remain conditional. This is acknowledged as the top future work item, but it does mean the paper's empirical findings are about the metric's behavior rather than about realized safety failures.

Coverage is thin outside Qwen3. The cross family finding (gemma drifts most) rests on a single language for a single model at different quantization, which the authors flag but still headline in the abstract and Figure 1B. Presenting it as a "result" rather than an observation stretches what one data point supports.

The writing is dense but precise, and the paper does well to separate confirmatory from exploratory findings. The released artifacts (prompts, prefixes, configs, no harmful completions) are a responsible choice.

This is an exceptionally strong and original contribution: a low‑compute, model‑agnostic evaluator that measures cross‑lingual safety drift by comparing latent comply‑vs‑refuse log‑probabilities between English and Indic languages, with a benign‑controlled difference‑in‑differences estimand that makes the model its own control and avoids label saturation and multilingual judging overhead.

The methodology is rigorous for a hackathon (careful proxy definition, bootstrap CIs, permutation tests, explicit treatment of quantization and coverage confounds), and the empirical findings—scale reducing drift within Qwen3 but not across families, smallest models most drift‑prone and least helped by system prompts—are highly actionable for Global South deployments. Limitations are clearly stated (proxy not yet validated against decoded behavior, uneven language/model coverage, key parallel‑trends assumption for the benign control), and the work would be even stronger with a compact, more intuitive explanation of the proxy for non‑specialists and a concrete plan for the proposed proxy‑validation experiment.

Overall, this deck presents a high‑impact evaluation infrastructure that others can reuse to map multilingual alignment gaps before deployment.

ΔMis addresses a real and underappreciated problem: surface refusal rates saturate at frac_pos = 1.0 in 29 of 31 cells, leaving behavioral evaluations nothing to measure for capable models. The self-as-control benign-controlled estimand is a methodologically sound response — making the model its own control removes the need for a calibrated multilingual judge and works below the saturation floor. The benign control reversing the model ranking is the paper's clearest result: Qwen3-1.7B looks worst by raw metric (+4.11) but 89% of that is generic capability degradation; gemma-3-12B's +1.24 safety_drift reflects 59% harm-specific drift and is the genuine deployment concern. Only the benign-controlled metric reaches this conclusion.

The proxy validation is the essential missing piece. Every empirical finding is conditional on s correlating with realized compliance. The paper's own stated limitation — "more compliant is a propensity claim, not realized harm" — means the drift rankings cannot yet be read as harm rankings. Decoding a stratified sample of high- and low-s prompts and reporting the correlation would turn this from a methodological contribution with preliminary empirics into a citable result.

The cross-family finding rests on one language per model, confounded by quantization. gemma-3-12B runs at full precision while Qwen3 models use NF4 — the paper is honest about this but it means the cross-family claim should be framed as a hypothesis rather than a finding until coverage is extended to at least two languages per model under matched quantization.

Test the parallel-trends assumption explicitly. The benign control nets out generic degradation only if benign and harmful prompts drift together absent harm. The two splits differ in length, content, and translatability as the paper acknowledges. A length- and perplexity-matched benign control would directly test this rather than leaving it as a stated assumption.

Cite this work

@misc {

title={

(HckPrj) ΔMis: Measuring cross-lingual safety drift in low-resource languages

},

author={

Yatharth Maheshwari, Arka Dash, Eric Modesitt, Rishabh Sharma, Avani Sood

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.