Reading Intent, Not Output: Cheap Activation Safety Monitors That Transfer Across Languages and Models

Antonio-Gabriel Chacon Menke

Text-based safety monitors inherit the weaknesses of the text they read: they are brittle across languages, blind to intent hidden behind a boilerplate refusal, and always one step late. We show that a model's internal activations offer a cheap, complementary channel that sidesteps all three problems at once. A single linear probe, trained only on English reasoning traces, detects fine-grained safety behaviours in Spanish and Vietnamese with virtually no loss (mean AUC 0.93 and 0.92, against 0.89 on English cross-validation), zero target-language labels required. The same probe identifies which harm category underlies a near-identical refusal (reasoning AUC 0.83 vs.\ text 0.72), recovers a covertly instructed goal the answer never states, and flags a request's harm class from the very first generated token. The monitor is also portable: mapped from one model family to another through a single learned affine bridge, it loses only 0.004 AUC, and a borrowed natural-language explainer can then turn any flagged activation into a plain-English description without retraining. In a triage setting the probe alone catches 95% of harm at a 7.4% false-alarm rate on benign requests. Against a fair multilingual encoder the accuracy gap is modest; the advantage lies in cost, latency, and the cases where the text simply does not carry the safety-relevant information.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is one of the stronger papers in the set, both in scope and execution. The core argument that activation probes provide a complementary safety signal that is cheap, early, language-agnostic, and works even when the text channel is degenerate is well-supported across several distinct experiments. The three settings where text fails (near-identical boilerplate refusals, covert goals, and first-token latency) are well-chosen and together make a strong case for why the activation channel is worth maintaining alongside text monitoring.

The cross-lingual transfer result (English-trained probe, 0.927 on Spanish, 0.921 on Vietnamese with no target-language labels) is impressive and the comparison against both a fair multilingual encoder and TF-IDF baseline is the right way to contextualize it. The author is honest that the fair encoder nearly ties on accuracy the case for activations rests on cost, latency, and degenerate-text cases rather than raw AUC, and stating this directly prevents overclaiming. The cross-model bridge result (0.004 AUC loss mapping to Gemma-3-12B) is genuinely surprising and, if it holds at scale, has real practical implications for monitoring new or opaque models. The finding that NLA stacking doesn't improve triage performance is a clean negative result that's worth publishing on its own. A few things would strengthen the paper: the forced-language reasoning methodology is well-validated in the appendix, but the evaluation sets are in the low hundreds per language, which limits confidence in the fine-behavior AUC estimates. The hidden-goal experiment (n=40) is small enough that the 0.45 vs. 0.15 comparison should probably include a confidence interval. And the pipeline description in Section 7 is useful but would benefit from a concrete latency estimate "close to free" is a qualitative claim that practitioners will want to see quantified. Overall this is work I'd expect to see developed into a full paper with high impact.

Very good and rigorous work. You go well beyond demonstrating a multilingual gap and instead build a cheap, portable monitor with several genuinely novel pieces: zero-label cross-lingual probe transfer, a cross-model affine bridge whose "geometry is lost but the safety direction survives" result is backed by a shuffled-bridge control, and a borrowed NLA explainer that travels across models.

The methodological discipline is what stands out - you actively debunk your own potential overclaim (activations only tie a fair multilingual encoder on raw accuracy, and you say so), report the NLA-stacking result as a negative and stress-test it across 19 behaviors, and validate the forced-language manipulation with a McNemar ablation. The dual-use section and single-GPU reproducibility are spot on.

Suggestions: the method needs white-box access, the cross-lingual results rest on forced-language reasoning (artificial by design), and evaluation is at small scale on 9–12B models - worth confirming at larger scale and on naturally occurring multilingual generation.

This is a well-executed and clearly presented monitoring pipeline combining cross-lingual probe transfer, cross-model affine bridging, and NLA explanation. The paper is admirably honest about where its advantages lie — cost and latency, degenerate-text cases, and portability — rather than overclaiming on raw accuracy.

The core method is established. Linear probes on residual streams and cross-model activation bridging both build directly on prior work (Arditi et al., Zou et al., Turturean et al. 2025). The fine-grained behavior taxonomy is carried over from the authors' own prior dataset rather than introduced here. The multilingual accuracy advantage over a fair multilingual encoder is modest (0.93 vs 0.90 on Spanish, 0.92 vs 0.90 on Vietnamese), meaning the practical case rests on cost, latency, and degenerate-text cases rather than a clear accuracy win.

Scale the weakest experiment. The hidden-goals result — recovering a covert agenda from activations when the answer text is near-chance — is the most safety-relevant finding, with direct implications for deceptive alignment detection. It currently runs on n=40 across 8 classes. This is the result most worth scaling and extending cross-lingually, since the fine-grained behavior transfer to Spanish and Vietnamese already demonstrates the probe generalizes.

Validate on naturally multilingual prompts. The cross-lingual transfer forces the reasoning language with a prefilled opener while keeping the English prompt fixed. Testing on prompts where both input and reasoning are naturally in the target language would directly address real deployment relevance.

Great use of modern methodologies like NLAs. Methodology is strong. Hypothesis can be more clearly scoped as it covers multiple goals. Section 4 onwards could be rewritten in a more clear way.

Cite this work

@misc {

title={

(HckPrj) Reading Intent, Not Output: Cheap Activation Safety Monitors That Transfer Across Languages and Models

},

author={

Antonio-Gabriel Chacon Menke

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.