Protección de la soberanía: un marco empírico de vulnerabilidad y un escudo regulatorio para la IA en una potencia media

Max Pinelo, Pilar Moncada

A reproducible framework to defend the AI sovereignty of a tech-dependent middle power.

VIGÍA (live) reads the official gazette and the national press across 15 risk categories to measure where the state runs high-risk AI unregulated and on whom it depends. SARA turns that diagnosis into five prioritized laws that make that dependence non-weaponizable.

Evidence (Mexico): Analysis of 153 gazette editions and 4,327 news items reveals:

95.6% regulatory gaps,

82% "silent AI", and

72.8% dependence on six U.S. firms.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Interesting paper that carries out a solid analysis and makes proposals to respond to the AI regulatory gap and the dependency to foreign AI producers of Mexican stakeholders. Your statement "In exchange of computing, Mexico hands in its national data and its markets..." is, sadly, an accurate description of the current situation which shows why your work is urgent and very relevant.

Moving forward, you may want to consider:

* The concepts of MAD and MAIM are based on the military domain and are problematic for various reasons. It would be useful to explain why the authors chose to use these are as analytical framework. There are others which also aim to explain and respond to the challenges of the so-called "Middle Powers", and of global South/global majority countries; so it would be useful to explore those and explain your choices in this regard.

* Incorporate some discussion of how human rights are affected by lack of legislation and current AI-related harms already happening without accountability, including upstream harms ones such as those of the data centers (case of Querétaro, among others). It would be very useful and more impactful to ground more the proposals from an AI Safety perspective on the actual impacts. Reach out the human rights defenders doing work in this area.

* There is a wealth of research on decoloniality in the framework of artificial intelligence, reviewing it could be useful to further explain the situation and risks faced by countries with dependency to others for their computing power; and strategies to respond to them from that perspective.

* Your paper may benefit from at least mentioning the strategies that some tech companies engage in to try to avoid or postpone the adoption of any AI in some countries. It would useful to add this because while many legislative gaps result from national processes, the fact is that industry lobbying is a major factor (for all countries, not only ours) that needs to be made visible and tackled, even in the framework of AI Safety.

The paper's greatest strength (a real, operational system producing real data) is also where the greatest methodological gap lies. The reliability of the entire downstream analysis depends on the accuracy of the LLM classification pipeline, and the paper does not give the reader enough to evaluate this.

The SARA framework is the paper's most ambitious contribution and also the least developed. The pillars are well-motivated, but each one encounters known political economy obstacles that the paper doesn't address. For example, anti-monopoly legislation (Pillar 4) faces trade agreement constraints the paper briefly acknowledges but doesn't engage with; the case for "legislate before you negotiate" deserves more development, including at least one precedent where this strategy succeeded or failed. Similarly, the "stack crítico soberano" (Pillar 2), requiring sovereign compute capacity for critical functions, has significant cost and feasibility dimensions that would need to be addressed for a real legislative agenda.

Cite this work

@misc {

title={

(HckPrj) Protección de la soberanía: un marco empírico de vulnerabilidad y un escudo regulatorio para la IA en una potencia media

},

author={

Max Pinelo, Pilar Moncada

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.