Thought Anchors for Social Bias: Which Reasoning Steps Matter in Extended Thinking LLMs on Latin American Scenarios

Andres Felipe Mosquera Hernandez

We investigate which reasoning steps in extended-thinking LLMs are associated with pro-stereotypical outputs on Latin American social bias scenarios. Social bias benchmarks, including BBQ \citep{parrish2022bbq}, SESGO \citep{robles2024sesgo}, and EsBBQ/CaBBQ \citep{ruizfernandez2025esbbq}, measure final-answer distributions but provide no visibility into intermediate reasoning. We adapt the thought-anchor resampling framework \citep{bogdan2025thoughtanchors} to social bias measurement: for each sentence-level chunk in a model's chain-of-thought, we remove it, resample $K{=}3$ continuations, and measure the change in pro-stereotypical output probability via three importance metrics. We apply this pipeline to SESGO-small, an 80-item stratified pilot subset spanning four Latin American bias categories (\textit{género, clasismo, racismo, xenofobia}), two languages, and three recent models with extended thinking. Across 1,708 chunk-level attributions, disambiguated contexts show higher pro-stereotypical output rates than ambiguous ones (33–75\% vs.\ 0\%), and high-importance reasoning positions tend to be tagged as \texttt{logical\_reasoning} or \texttt{context\_recall} rather than \texttt{stereotype\_activation}. These pilot results suggest that bias-relevant moments may lie in general inference steps rather than overt stereotype invocations, offering a step-level diagnostic target that complements answer-level

benchmarks. More broadly, attributing bias to specific reasoning steps could help

localize where stereotyping enters a model's reasoning, though our findings remain preliminary.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Adapting thought-anchor resampling to social bias measurement in extended-thinking LLMs on Latin American scenarios opens a research direction that did not previously exist. The finding that high-importance steps are logical_reasoning and context_recall (not stereotype_activation) is counterintuitive and potentially significant. This suggests that bias enters reasoning disguised as general inference, which has direct implications for how mitigation interventions should be designed. To consolidate the work, the most urgent next steps are increasing K from 3 to at least 10 rollouts per chunk to obtain importance estimates with higher resolution, validating semantic chunk labels with human annotation, and applying the pipeline to the full SESGO benchmark for adequate statistical power per cell. The future work question of whether backtracking acts as a protective mechanism against stereotypical outputs is one of the most important questions the paper leaves open.

This is a strong and creative extension of Thought Anchors into social-bias evaluation.

The repo is very reviewer-friendly, with clear reproduction commands and cost disclosure.

Small note: the video is announced but I could not play it. I would have enjoyed seeing it, not many teams did one and it helps reviewers a lot.

Agentic harnesses have been seen to greatly improve capability, and therefore I think harnesses are a very important safety angle to study. So I like the problem choice. If I'm understanding the result correctly, I think it is quite interesting that bias is coming out in "reasoning steps" and not in "recall steps", so somehow it seems that even if bias is not recalled directly from model "memory" it could come out in agents in more subtle ways. I think this is a good angle to study.

I find it hard to study the correctness of methodology and validity of results under my time constraints, but I like the problem choice. Presentation could use less jargon to be followed at least at a high level under strict time constraints.

This is a very strong and focused contribution. The paper applies a resampling approach to understand where social bias appears inside the model’s reasoning, using the Latin American benchmark SESGO. This is a genuinely interesting angle, because it goes beyond simply looking at final answers. The pipeline is carefully built, and the main finding is interesting: the reasoning steps that shift bias are often classified as general reasoning or context recall, rather than direct stereotype activation. The biggest strength is the paper’s honesty about its limits. It is clear that the small SESGO exercise, with 80 items and limited validation, is a proof of concept rather than a basis for firm conclusions. To strengthen the paper, I would scale the analysis to the full SESGO benchmark, use more repeated runs, validate the labels with human coders, and report agreement across coders. Excellent writing and reproducibility. A very strong project.

Cite this work

@misc {

title={

(HckPrj) Thought Anchors for Social Bias: Which Reasoning Steps Matter in Extended Thinking LLMs on Latin American Scenarios

},

author={

Andres Felipe Mosquera Hernandez

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.