Pragmatic Sophistry in Vietnamese Multi-Agent Oversight

Bui Cao Dong Nghi, Truong Ngoc Minh Tam, Bui Ngoc Linh

AI safety monitors are usually evaluated on the assumption that risky behavior is lexically visible in the text being watched. We test this assumption in a multilingual, multi-agent setting: Vietnamese-language workflow agents in which control violations are expressed not through explicit risk keywords but through pragmatic, culturally fluent language (hierarchy, relationship pressure, euphemism, omission, and routine framing). We build a four-stage pipeline (attacker-renderer, fluent oracle, naive executor, monitor) and evaluate two LLM monitors (Gemini 2.5 Flash, DeepSeek Chat) under three visibility conditions (seeing the original instruction, only the executor's action/report, or the full instruction-action trace) across three domains: e-commerce, banking, and government. Our central finding is a context-compression failure that is strongly domain-dependent. In e-commerce, monitoring only the executor's action raised false negatives on suspicious pragmatic-Vietnamese requests from 6.4% to 22.3%, with full-trace monitoring recovering performance to 8.5%; up to 24.4% of violations catchable from the instruction were missed once only the action was shown. This failure was mild in banking and absent in government, where violations are concrete, explicit actions that survive compression. Across all domains, the rare misses were high-confidence (0.90–1.00). We conclude that the executor/report layer can disguise safety-relevant context in some domains, that the vulnerability tracks the type of violation rather than language alone, and that preserving the instruction-action trace is an important, low-cost safeguard for multilingual agentic oversight.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The paper does a good job showing how safety relevant context can get lost when a multilingual instruction is compressed into a downstream action or report. I especially liked the instruction -> action > trace comparison, as it makes the core finding practical and easy to understand.

The results are meaningful, particularly the e-commerce case where action only monitoring clearly underperforms and full trace monitoring recovers much of the lost signal. Adding human generated context and inputs would have been very helpful. That would make the results feel more grounded and help confirm whether the same patterns appear outside model generated workflows.

Empirically grounded — Concrete numbers (6.4% → 22.3% false negatives, recovery to 8.5%) make the findings actionable

Domain comparison — Testing across e-commerce, banking, and government reveals that the vulnerability is not uniform, which is a nuanced and useful finding

Practical recommendation — "Preserve the instruction-action trace" is a low-cost, implementable safeguard

Timely — Directly relevant to the current wave of agentic AI deployment

This is a publishable, original contribution that addresses a real gap identified by major safety reports and aligns with where the top labs (Anthropic, DeepMind) are investing right now. It would be a strong fit for venues like EMNLP, ACL, AAAI (safety track), or workshops like SafeGenAI/TrustNLP.

Your discovery that an AI assistant's routine summarisation alone — no deception needed — is enough to hide a safety violation from a monitor is a genuinely eye-opening finding, and mapping exactly which domains this is dangerous in makes it immediately useful for real teams. To push it further, test with an even more aggressive summariser to show the worst-case risk, and consider releasing your Vietnamese test scenarios as a public benchmark — nothing like it exists today, and the field would build on it for years.

This is a strong and practically motivated project. The paper identifies a clear oversight failure mode: safety-relevant context can disappear when a Vietnamese instruction is compressed into an executor action/report, especially in relational or personally identifiable information workflows. The instruction/action/trace split is a good experimental design choice, and the cross-domain comparison makes the central claim more interesting than a generic “multilingual monitoring is hard” result.

The strongest contribution is the domain-dependent mechanism: e-commerce failures are not just caused by Vietnamese pragmatics, but by executor-side context compression of authorization, relationship, and omission cues. The worked examples make this intuitive, and the conditional report-hiding metric is useful.

The main improvement would be to strengthen the empirical grounding. The datasets are small, model-generated, and filtered by model/oracle components, so the conclusions should be framed more clearly as an audit prototype rather than broad evidence about Vietnamese workflows. The paper would benefit from more detail on scenario generation, oracle criteria, executor prompts, monitor prompts, and exact labeling rules so others can reproduce the results. It would also help to include human Vietnamese annotators or at least a small human validation sample, since the core claim depends on culturally fluent pragmatic meaning being recoverable.

The statistical presentation is promising but could be cleaner. Some claims rely on small cells, especially cue/persona/pressure breakdowns, and should be marked more explicitly as exploratory. Government results are described as “absent,” but the paper correctly notes the study is underpowered there; I would consistently phrase this as “no measurable gap in this sample” rather than “absent.” Finally, the paper should separate more sharply what is caused by multilingual pragmatics, what is caused by executor summarization, and what may be caused by domain-specific task structure.

Overall, this is a useful and novel AI safety audit with a clear practical takeaway: action-only monitoring can be unsafe in domains where violations depend on social/authorization context, and preserving the instruction-action trace is a low-cost mitigation.

Cite this work

@misc {

title={

(HckPrj) Pragmatic Sophistry in Vietnamese Multi-Agent Oversight

},

author={

Bui Cao Dong Nghi, Truong Ngoc Minh Tam, Bui Ngoc Linh

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.