Not All Should Go South: The Pragmatic AI Strategy for Secondary Powers

Kauã Victor Dias dos Santos, Erickson Leon Kovalski, Adre Novais Xavier Rodrigues , Bruno Nobre Silveira

We argue that conceptual confusion among model development, deployment, and usage leads Global South nations to an irrational trend of pursuing 'AI sovereignty' through domestic frontier model training. Because secondary powers cannot realistically compete at the development layer due to winner-takes-most dynamics and rapid model commoditization, the authors advocate for focusing resources on downstream deployment and usage where opportunities for profit and social impact are greater. Ultimately, the project introduces a pragmatic framework that links these downstream layers to concrete AI-safety rationales, guiding future National AI Plans away from the illusion of full-stack sovereignty and toward actionable resilience.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The main shortcoming of this work is that it missed exploring the space of options for AI strategy in development, jumping too quickly to the other stages of the AI cycle.

It seems very plausible to me that Brazil's most valuable bet to remain relevant is to build more compute and lease it to the top AI labs worldwide. Even if 'developing' models would be unprofitable for them, renting compute definitely wouldn't if they can ensure some reasonable rule of law provisions around it. See arguments here: https://newsletter.forethought.org/p/how-can-the-middle-powers-avoid-getting

Beyond that, I did not find the other arguments in the text particularly tight in driving their conclusions. They chose a really important question, but could have done better in working towards their conclusions

This is a clearly written, well-organized, and timely paper, and the disaggregation of AI strategy into development, deployment, and usage is a potentially useful lens. A few directions would meaningfully strengthen it.

First, the contribution would land harder with a sharper target. The programs cited as cautionary examples, Brazil and India, are in practice already pursuing largely non-frontier, deployment-and-fine-tuning strategies, so it would help to clarify whether the argument is against frontier pretraining from scratch (which few policymakers actually fund) or against non-frontier "sovereign-sufficient" model training (which can be a defensible, auditable, locally-aligned capability investment at relatively modest cost). Drawing that frontier-versus-usable distinction explicitly would prevent the recommendation from reading as broader than intended, and it is arguably the distinction that decides whether domestic training is a misallocation or a reasonable bet. A quantitative comparison of economic effects across the three layers, even a rough one, would also give the central claim empirical grounding it currently relies on argument to supply.

Second, the paper's strongest move, disaggregation, could be applied one level deeper to the two layers it recommends. Deployment spans fine-tuning, post-training, hosting, and the open-versus-closed choice; usage spans building proprietary applications versus adopting commercial ones, and differs substantially between public and private sector contexts. Specifying which of these components suit which kinds of country would turn a directional orientation into actionable guidance. This connects to the acknowledged lack of country-level calibration: because the paper's output is a prescriptive sequence, tying it even loosely to national compute, talent, and institutional capacity would do a lot to make it policy-relevant, and would be a natural next step alongside the deferred analysis of real national plans.

Third, the argument would be more persuasive if it engaged the strongest opposing evidence. The macroeconomic case currently rests on Acemoglu's conservative estimate; bringing in the more transformative projections (e.g. Brynjolfsson) and addressing them directly would strengthen rather than weaken the paper, since the transformative-gains scenario is the main challenge to its thesis. Similarly, the load-bearing premise that development is a poor investment, and several supporting points sourced to industry and venture commentary, would benefit from firmer analytical or empirical backing. The component on building a domestic AI-safety research community is promising but would be stronger with an explicit account of the mechanism by which that expertise translates into influence over how frontier models are built.

On presentation, the writing is clear and the structure logical; dialing back the confident register in a few places would help the strong underlying argument read as the careful analysis it is rather than as an opinion piece.

Cite this work

@misc {

title={

(HckPrj) Not All Should Go South: The Pragmatic AI Strategy for Secondary Powers

},

author={

Kauã Victor Dias dos Santos, Erickson Leon Kovalski, Adre Novais Xavier Rodrigues , Bruno Nobre Silveira

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.