Sovereignty at the Forward Pass

Shubhradeep Nandi

As frontier AI capability concentrates in a few API-served models, "AI sovereignty" is framed as owning compute and data. That misses the object. The variable deciding both a state's autonomy and its safety is inference control: who runs the forward pass, who sees its inputs, who can verify, pin, or replace the model. I show inference-control primitives attested identity, confidential execution, anti-substitution proofs are the same primitives AI-safety verification needs, so sovereignty and safety converge. A seeded Monte Carlo finds market concentration multiplies systemic-failure risk ~14×, suppressed only past a sharp coverage threshold. Coding six jurisdictions (India, EU, UAE, Singapore, China, USA), we find the attestation layer empty everywhere and that India's decisive act, moving BHASHINI onto domestic infrastructure, repatriates the inference trust boundary rather than owning hardware. Together: a reframe, a model, and evidence that sovereign inference is distributed AI safety.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

A genuinely original reframe: relocating "AI sovereignty" from infrastructure ownership to inference-time control, and the convergence thesis (the primitives a state needs to assert inference control are the same primitives needed to verify model behavior in deployment) is a non-obvious and valuable observation.

Four things would strengthen it. First, the six dimensions are presented as derived from a method (which properties' controller flips between API and weight-possession) but are really a well-chosen taxonomy: the stated procedure does not generate exactly six, and the boundaries are arbitrary (why is "policy layer" one dimension but "weight access" another?). Deriving them from, or at least cross-checking them against, the surveyed literature would close the gap between claimed method and result.

Second, the convergence is demonstrated by curation rather than argued: the table maps primitives that map cleanly, with no claim of completeness or argument that the correspondences are tight rather than analogical.

Third, the feasibility claim for middle powers is asserted, not reasoned. "Middle powers" are heterogeneous, and the decisive layers (sovereign open-weight substitution, audit/escrow rights) presuppose capabilities the paper concedes even India only partly has; "cheaper than frontier parity" is not the same as "achievable for the class," and the institutional, legal, and political barriers raised in the limitations are never allowed to bear on the central optimism.

Fourth, the three predictions are weaker than "falsifiable" implies: P2 has no defined failure condition and pre-codes the sole examined case as confirming; P3 follows from any monoculture argument independent of this framework; P1 is near-definitional once the primitives are defined as the overlap.

Finally, some terminology is doing unearned work. "Theory of change" is really a portfolio-allocation heuristic with no actor or adoption pathway.

This paper challenges the claim that nations which pursue AI sovereignty through localized infrastructure control are actually meeting their sovereignty goals. It claims that countries which have API only access to frontier models (despite owning or hosting compute, data, and model infrastructure locally) lack fundamental input or control at the inference level which actually determines a state’s level of autonomy and safety determinations over a model. It uses India as a case study and effectively shows where existing legislation maps to the identified gaps in control/jurisdiction.

It advocates for a five layer approach to verification and inference control that states can apply to specific use cases and sectors depending on sensitivity levels to improve AI safety controls. The paper argues that middle powers would benefit most from “a world of many independent verifiers” vs. the status quo “where a world in which a few labs are the sole verifiers of their own models.” It offers clear next steps to expand the work and test their hypothesis, as well as a solid analysis of potential counterarguments to their theory.

The suggestions section offers clear recommendations, but would benefit from an expanded explanation for how to implement these in-practice, especially continuing with the India case study specifically. I’m left curious how the authors would translate their recommendations for policymakers. The table data could be presented in a clearer way with more background information, but is overall solid hackathon work.

Future expansion of the work would benefit from a clear rubric/matrix to classify risk, and mapping their five layer approach to actual technical mechanism to implement the Seven Sutras framework.

Re-framing BHASHINI's move as securing the data boundary rather than just building hardware is a sharp and original insight. However, the biggest unresolved issue is that using secure hardware (TEEs) simply shifts your trust to the chip maker instead of actually erasing foreign dependency, which undercuts your main point and deserves more than a single sentence. To develop this beyond a theoretical framework, you may consider empirically test at least one of your predictions (like P1, showing that safety pipelines and procurement rules naturally overlap on the same core tools)

Cite this work

@misc {

title={

(HckPrj) Sovereignty at the Forward Pass

},

author={

Shubhradeep Nandi

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.