Representational Macrostates and Statistical Difficulty in LLM Safety Prompts

Nahuel Roldan, Lihuen Manzano

We introduce a rollout-based statistical difficulty benchmark for LLM safety prompts and study whether proxy hidden-state macrostates can diagnose non-additive prompt compositions. The project frames safety prompt evaluation as a procedural inverse problem: prompts and conditions induce populations of model trajectories, which are scored into behavioral error components and aggregated into a statistical difficulty measure. We then fit effective representational models, including a quadratic Hamiltonian-like diagnostic model, and show that composed transformations should not be assumed additive: a composed prompt AB can produce representational and behavioral effects that are not predictable from A and B separately. The resulting framework is intended as a triage tool for prioritizing risky prompt transformations and compositions in AI safety evaluations.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The submission recasts LLM safety evaluation as an inverse problem. The authors define a population of generative trajectories for a prompt q under condition C, then build a per-rollout error vector with seven components (exact leakage, reversible transformation, partial reconstruction, unsafe cooperation, false refusal, task failure, any leak) that aggregates into a population-level statistical difficulty D_stat. The representational layer comes next. Reduced coordinates xi(alpha) feed a hierarchy of effective models D^(n) fit up to fourth order. Prompt compositions are then analyzed through finite differences I_AB and representational scattering S_AB, with the explicit goal of separating behavioral non-additivity from curvature in the prompt-to-representation map.

What surprised me on the second read is how much empirical work sits underneath the formalism. The abstract undersells this. There is a broad sweep with 8 secrets, 484 prompts, and 3872 rollouts on qwen3-coder:30b-32k served through Ollama, a focal run of 100 prompts at B=16 (1600 rollouts), and a separate PT pair check with 5120 rollouts on fresh secrets and bases. Proxy activations from Qwen2.5-0.5B-Instruct are extracted at seven layers (0, 4, 8, 12, 16, 20, 24) and the fit hierarchy uses leave-secret-out to compare constant, linear, diagonal-quadratic, full-quadratic, and cubic regressors. The 7-component error taxonomy is not decorative. It maps to concrete failure modes the rollouts actually produced (a P,r=3 rollout that reveals "BLUE" as the first block, T,r=2 cases where the model writes both the value and its reverse). The finding that 92 percent of the Frobenius norm of H lives in off-diagonal entries is a clean empirical statement that the chosen PCA basis does not factor difficulty into independent modes. My favorite move in the paper is the explicit separation of I_AB and S_AB. Saying out loud that a behavioral non-additivity may come from a real off-diagonal in H or from a nonlinear prompt-to-coordinate map is the kind of methodological hygiene mech-interp adjacent safety work usually skips.

The main thing holding the paper back is the proxy substitution. Reading 0.5B activations to explain 30B behavior is a load-bearing assumption, and the paper acknowledges it in the conclusion but does not test it. A small same-model replication would do a lot of work here. Fit the same H on Qwen2.5-0.5B alone, or on any model in the 7B range that fits in memory, and check whether the off-diagonal dominance and the CP/CT/PT scattering signs survive. If they do, the proxy story is much more defensible. If they do not, the paper still has a useful negative result. A second gap is interpretability anchoring. The xi(alpha) coordinates are estimated by PCA of activation deltas, with no comparison against sparse autoencoder features or RepE probe directions from prior work on Qwen. Without that anchor, readers cannot tell whether the reduced coordinates recover known safety-relevant directions or describe something orthogonal to them. A third nice-to-have lives in section 5. F1 = 0.933 at D_obs >= 1 is reported as triage, but the positive class is small and the threshold is generous. Flagging a held-out prompt class up front, then verifying with rollouts on a fresh secret family, would convert the diagnostic claim into an operational one.

Zooming out, the more interesting contribution is methodological. The authors give safety evaluation a vocabulary that mech-interp and behavioral testing can both use, with experimental knobs (transformation families, intensities, compositions) attached to each side. Two design choices are worth preserving in future work. The first is keeping eα,b as the primary datum instead of collapsing to a scalar, because it lets the same D_stat number be unpacked into different failure channels. The second is the I_AB versus S_AB distinction, because population-level safety metrics are otherwise easy to misread as interaction terms when the underlying geometry is what shifted. A follow-up that resolves the proxy question and ties xi(alpha) to interpretable features would put this work in direct conversation with the RepE line of research.

Super interesting, this is an ambitious formalism!

I would simplify the paper a lot, I recommend the empirical result first, then introduce the math only as needed.

I think one limitation it has is measuing on Qwen3-Coder-30B while using Qwen2.5-0.5B as the representation proxy. Even within the Qwen3-Coder family, the 30B isn’t the strongest available. As a next step should be direct activations from the same (and ideally larger) model, more compositions, and a clearer “how a safety team would use this” section.

The presentation is way too technical for the project to to be properly judged under the time constraints.

Inverse problems are interesting but it is unclear what exactly "controlling the prompt" means. Is this protocol designed to figure out which prompts produce safe outcomes? How do we apply this? Is this a monitoring project? Or is it designed to modify prompts so that outcomes are safe and yet close to what the original prompt asked for? The goal of the protocol is very unclear and not discussed very much.

This is a very ambitious and creative paper. I especially liked the idea of framing safety prompting as an inverse problem, as well as the effort to build a benchmark that measures how statistically difficult different prompts are. The paper is also strong in treating errors in a more detailed way, separating cases such as exact leakage, partial leakage, unsafe cooperation, and false refusal.

The behavioral benchmark is the strongest part of the paper. It produces a clear and useful signal, especially showing that transform and partial-extraction prompts are among the hardest cases.

My main concern is that the formal framework goes further than the evidence supports. The representational model is presented carefully as a hypothesis, but the empirical support for it is still limited. In particular, some of the evidence comes from a smaller proxy model rather than from the main model used in the behavioral benchmark, and the paper does not yet show clearly what the more formal machinery adds beyond the benchmark itself.

I would recommend tightening the scope. The authors should first validate the representational claims more directly, ideally using the same model and showing that the framework can predict results on held-out cases. I would also encourage them to make the exposition more accessible to readers without a physics background. Overall, the paper has a very high ceiling, but it needs more grounding before the formal apparatus can carry the argument.

Cite this work

@misc {

title={

(HckPrj) Representational Macrostates and Statistical Difficulty in LLM Safety Prompts

},

author={

Nahuel Roldan, Lihuen Manzano

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.