Organizing Against the Algorithm: Collective Response as a Governance Lever for Gradual Disempowerment in South Africa's AI Infrastructure Buildout

Neo

The paper argues that collective action is an underexplored way for populations to push back against gradual AI disempowerment, and that South Africa is a uniquely well-positioned test case given its history of organized resistance.

It uses Cassava Technologies' AI Factory near Johannesburg as a concrete example. The paper notes that no organized group is currently contesting this distributional gap.

Drawing on historical South African cases ie. mineworker strikes, Fees Must Fall, the G20 Women's Shutdown , it identifies the conditions under which collective response tends to succeed: a visible harm and an identifiable target. AI-driven displacement currently lacks both, which is why organizing hasn't emerged despite real stakes.

The paper proposes three policy fixes to deliberately create those missing conditions: mandatory distributional disclosure for large AI infrastructure projects, an early-warning mechanism run through existing union federations, and a formal civil-society seat in infrastructure investment reviews. It closes by acknowledging that the analysis is conceptual, and that the same organizing infrastructure it advocates for could be misused for either surveillance or anti-technology populism.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

I like this paper a lot. The central move — taking the gradual disempowerment framework and asking what bottom-up resistance to it looks like, then pulling in labour economics and social movement theory to answer that — is genuinely original. Most of the disempowerment conversation is top-down (alignment, governance from above), and you're right that the question of whether affected populations can organize against it is underweighted. Bringing those two literatures into contact is a real contribution.

The strongest part is the comparative case framework in Section 3. Scoring the four cases on trigger, actor, demand structure, and outcome, and then pulling out the pattern — collective response forms when there's a visible harm and an identifiable target, and AI labour substitution is missing both turns a story into a falsifiable claim. And then Section 5 maps each recommendation directly onto a missing condition (disclosure creates the target, early-warning creates advance notice, the civil-society seat creates standing). That tight link between diagnosis and prescription is what makes it more than commentary. The Cassava case is well-chosen and I appreciate that you took the sovereignty framing seriously instead of treating the project as a villain the energy/labour/capital-structure breakdown is sharp.The honest limit is that this is conceptual. Four cases generate a hypothesis, they don't test one, and you say so plainly, which I respect. The thing that would worry me if I were building on this: the early-warning mechanism in 5.2 is a surveillance system pointed at deployment, and you flag — correctly — that it could be turned around to monitor and suppress organizing instead. I'd want that risk treated as a core design constraint, not a closing caveat, because "worker-controlled data governance" is doing enormous load-bearing work in one sentence. Two things would lift it: even a handful of interviews with unions near the Johannesburg or Cape Town sites would move this from armchair analysis toward evidence, and a short legal check on whether South Africa's labour framework can even accommodate diffuse, non-single-employer disruption would tell you whether 5.3 is actionable or aspirational. The dual-use note about this energy being redirectable at AI that has real developmental benefit was an honest thing to include.

The paper brings something fresh to the table by looking at collective action as a real form of AI governance, instead of just focusing on regulations or technical alignment like most people do. I thought the comparison of those four South African cases was smart—it helped pull out clear conditions for when collective action actually works, like visible harm, obvious targets, and straightforward demands. Then using that lens to explain why the Cassava AI Factory hasn’t sparked much organized pushback yet felt like a solid bridge between gradual disempowerment and labor economics, which you don’t see discussed much in AI governance conversations.

The biggest weakness is that the empirical side feels a bit thin. The Cassava case raises good questions around energy costs, job losses, and foreign companies capturing most of the value, but a lot of it stays at the level of open questions rather than clear evidence. For instance, it notes that the actual distribution of costs and benefits hasn’t been made public, so it’s hard to tell if the suggested fixes are addressing real harms or just potential ones. The four-case comparison also shows interesting patterns, but four examples aren’t really enough to prove those are the main drivers of successful organizing.

The policy suggestions make sense given the framework—especially things like requiring companies to disclose how benefits and costs are distributed, and setting up early-warning systems for sectors. Still, the paper would feel a lot stronger if it could show these changes would actually shift outcomes on the ground, not just increase transparency. Some interviews with unions, workers, or policymakers, or comparisons with similar big infrastructure projects, would have helped back that up.

Overall, it’s a thoughtful conceptual piece with a clear theory of change and an honest acknowledgment of its limits. The next step is to test the framework with real primary evidence and show that collective organizing can actually work as a practical governance tool in AI projects, rather than just a promising idea.

This is a solid and specific case study that identified three core questions for why South Africa’s collective civil society response has failed to materialize in the case of the development of a new AI data center in Johannesburg. It names the key actors influencing the development of the data center. It lists 3 clear policy recommendations to fill this gap. The limitations section was thoughtful and accurate. The inclusion of the role of labor unions and collective bargaining was a novel and powerful contribution.

It would benefit from more concrete vision for the Sectoral Early-Warning Mechanism, as it was unclear from the text what the purpose and proposed structure of this mechanism could be and how it would measure or identify displacement risk. I also suggest the authors take a more expansive view of the civil society observer recommendation and consider broader public-private partnerships and working groups with civil society inputs, instead of project-based contributions which may run into complications. It would strengthen the paper to include additional state-linked entities beyond CSIR that would be instrumental in adopting these policy recommendations for immediate impact and call to action for specific agencies. It would also strengthen the analysis to include which civil society organizations could be instrumental and relevant for this specific case study.

The paper shows structural policy changes that could improve civil society’s responses to AI developments, and it hypothesizes that the same strategy can be applied to AI developments, but it does not provide a clear path forward to if this collective action can be applied to AI successfully. It simply assumes that if it was successful in historic cases, this can be replicated in the case of AI data centers. The authors must explicitly bridge the gap between historic labor mobilization and AI infrastructure.

Cite this work

@misc {

title={

(HckPrj) Organizing Against the Algorithm: Collective Response as a Governance Lever for Gradual Disempowerment in South Africa's AI Infrastructure Buildout

},

author={

Neo

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.