PowerBench: a multilingual study of large language model refusal in power-grabbing requests

Gaspar Labastie, Wendy Brau, Tomas Korenblit, Tomás Gimenez Molina, Gonzalo Agustín Heredia, Nicolas Martorell

PowerBench is the first public benchmark measuring LLMs' willingness to assist with power-grabbing: requests to increase one's own power by reducing a third party's. It varies power domain, context, scale, language, and nationality; separating power-grabbing from two controls: harmless-empowerment and disempowerment. Across five models, refusal of power-grabbing ranges from 8% to 70% (most models comply with the majority) and is consistently refused less than pure disempowerment, suggesting models react to harm, not to power concentration itself. Refusal also shifts with language and target nationality.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Well-written. Would help reader calibration if there were samples of the raw dataset entries + model transcripts on them in the appendix. Somewhat misleading to state a result that's n.s. after multiple-testing correction as a claim in the abstract.

Interesting and important safety risk highlighted. Well done in providing defrentiation in categories separating power grabbing from harmless empowerment and pure disempowerment, which made the findings easier to interpret and more useful for future safety evaluation. The result the caught my eyes was "The two United States models refuse most in English; the three Chinese models refuse most in Chinese", this infers that model refusal behavior is not language-neutral; safety alignment appears strongest in the developer’s home language and weaker when prompts are presented in other languages. I will encourage to carry on the future work and add the more implicit, naturally framed power-grabbing requests, as this would help determine whether model behavior changes when harmful intent is embedded in the scenario rather than stated explicitly.

The core idea (evaluating power-grabbing refusals) genuinely caught my attention. I like that you varied the scenarios in the dataset based on sensible axes to try and cover the relevant distribution. The results are well reported too. I would have like to see some assessment of human agreement rate with the judge, and some measurement of the capability (how helpful are the models instead of just them not refusing).

PowerBench fills a huge gap in terms of no public benchmark had previously measured model willingness to assist with power-concentration requests, and the multilingual factorial design is a meaningful contribution. The findings on the home language effect and nationality asymmetry are the most valuable for the AI safety community. To strengthen the work, the most important next steps would be:

1. calibrating the automated judge against human annotations (Cohen's kappa); 2. including multiple prompts per cell to decouple wording effects from factor effects, and 3. expanding the nationality study to more models before drawing firm conclusions. The limitations section is exemplary.

Hey! Super cool. This feels like a real benchmark for a neglected safety failure mode, and it is pretty novel, especially through the hackathon theme lens.

You could strengthen it a lot by adding human labels and judge agreement. Right now it relies on a single LLM judge without human agreement, which makes the headline numbers harder to trust. Also, things are moving really fast in AI, so I would update the model panel to current SOTA from the labs and/or open source. For example, Claude 3 Haiku is now retired, and I do not see a specific reason to use it instead of claude-haiku-4-5-20251001*

* https://platform.claude.com/docs/en/about-claude/model-deprecations

Cite this work

@misc {

title={

(HckPrj) PowerBench: a multilingual study of large language model refusal in power-grabbing requests

},

author={

Gaspar Labastie, Wendy Brau, Tomas Korenblit, Tomás Gimenez Molina, Gonzalo Agustín Heredia, Nicolas Martorell

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.