S-OWMI: A Perimeter Auditing Framework for Open-Weight Models in Latin American Institutions

Ramiro Carnicer souble

We introduce the Spanish Open-Weight Maturity Index (SOWMI), an auditable perimeter evaluation framework for open-weight LLMs.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This project identifies a clearly defined issue relating to security and governance. There is no doubt that the use of OWM is a strategy for countries such as those in Latin America. This makes the project highly relevant. Its methodology is robust and well-conceived. It is, moreover, innovative. Over time, the project can be further strengthened empirically and with robust statistical analysis. The text needs to explain some acronyms, some of which are as central as MVP, RAG and LoRA (even though they appear to be in common use).

Este es un proyecto valioso y oportuno para las instituciones latinoamericanas que consideran adoptar modelos de pesos abiertos (open-weight). Su mayor contribución radica en que no se limita a reiterar que los modelos pueden comportarse de manera diferente fuera del inglés; propone un marco práctico de auditoría previa a la implementación, con comparación inglés/español, métricas concretas y un scorecard de niveles L1/L2/L3 que puede ayudar a las organizaciones a identificar debilidades de seguridad antes del despliegue local.

Aprecié especialmente la distinción entre los diferentes tipos de fallo. Los resultados sugieren que el comportamiento de rechazo ante indicaciones peligrosas puede transferirse relativamente bien, mientras que la consistencia frente al sesgo y la calidad de los datos en los dominios latinoamericanos siguen siendo más frágiles. Esto es útil porque evita la conclusión generalizada de que "el modelo falla en español" y, en cambio, muestra qué dimensiones requieren mayor atención antes de su uso institucional.

Como oportunidad de mejora, hay dos aspectos a fortalecer. El primero es situar mejor el aporte frente al estado del arte: varios de los hallazgos (que la seguridad se comporta distinto en español y que hay sesgo dialectal) ya han sido documentados en trabajos recientes. Esto no le resta valor al proyecto, porque su contribución propia no está en descubrir el problema, sino en operacionalizarlo en una herramienta de auditoría que las instituciones pueden usar; pero citar los trabajos vecinos más cercanos ayudaría a dejar claro qué es confirmación de hallazgos previos y qué es aporte original. El segundo es la validación: el proyecto evalúa solo dos modelos, y los propios autores reconocen las limitaciones en potencia estadística, tamaño de muestra y agregación de la variación dialectal. Una versión futura se beneficiaría de más modelos, muestras más grandes por dimensión, un análisis más detallado de la variación regional y pruebas en ámbitos institucionales sensibles como salud, derecho, finanzas y servicios públicos.

Desde la perspectiva de la adopción y la gobernanza, el scorecard sería aún más útil si el documento explicitara la relación entre los resultados técnicos y las decisiones de implementación. Dado que el proyecto está diseñado para apoyar a las instituciones, sería valioso aclarar qué implica cada nivel L1/L2/L3 en la práctica: qué usos son aceptables, cuáles deben restringirse, cuándo se requiere mayor supervisión humana, qué controles compensatorios se recomiendan y cuándo no se debería desplegar un modelo en ámbitos sensibles. Esto no implica resolver por completo el problema de la gobernanza institucional, pero haría que la auditoría fuera más práctica para las organizaciones a las que el proyecto busca apoyar.

This is a very strong contribution: S‑OWMI turns a fairly abstract multilingual safety gap narrative into a concrete, auditable perimeter framework that Global South institutions could realistically plug into procurement and governance workflows, and it does so with a well‑motivated focus on Spanish upstream data curation and an L1/L2/L3 scorecard that is both legible and defensible. At the same time, the empirical backbone of V1 is clearly underpowered (a few pairs per step, two models, one dialectal bucket for “español‑diverso”), which means the headline bias gap and the factuality findings are best read as directional signals rather than established effects. To strengthen the work, I would encourage the authors to (i) prioritize scaling each step to at least 50–100 paired prompts with a dialect‑by‑dialect breakdown; (ii) expand the factuality evaluation beyond medical/financial/legal QA to include additional LATAM benchmarks so the readiness blocker label rests on a broader base; and (iii) consider adding a small human‑only evaluation slice per step so that the excellent LLM‑as‑judge calibration story is complemented by a clearer picture of how domain experts in the region interpret borderline cases.

The "español-diverso" aggregation is the most significant design limitation, and the paper correctly identifies it. But it is worth naming the specific risk: an aggregate dataset mixing regional varieties cannot identify which variety drives degradation, so a practitioner deploying in, say, the Colombian Caribbean or the Río de la Plata region cannot determine from S-OWMI whether their specific linguistic context is the source of the bias gap. A next version should stratify español-diverso by dialect region so that organizations can receive a region-specific audit signal.

does an excellent job of connecting a technically rigorous Spanish‑focused safety audit to concrete governance needs in Latin American institutions, but its current scope and methodology still make it more of a strong prototype than a fully mature standard: you’ve framed S‑OWMI V1 very clearly as a perimeter tool that treats Spanish upstream data curation as a first‑class safety dimension and offers a usable L1/L2/L3 scorecard plus readiness blockers that procurement teams can actually act on, yet Vertical 2 (provenance/robustness) and Vertical 3 (tiered release/testing) remain aspirational, statistical power is limited, dialectal differences are still aggregated, and reliance on LLM‑as‑a‑judge means that for high‑stakes domains (especially factual QA in medical/legal/financial settings where Step 6 is L1 for both models) institutions should treat S‑OWMI V1 as a gate to reject or constrain unsafe open‑weight deployments rather than as sufficient evidence to green‑light them without additional domain‑grounded evaluation and stronger lifecycle governance.

Cite this work

@misc {

title={

(HckPrj) S-OWMI: A Perimeter Auditing Framework for Open-Weight Models in Latin American Institutions

},

author={

Ramiro Carnicer souble

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.