Towards Global South AI Sovereignty: A Federated Learning Framework for Collaborative LLM Development

Phemelo Maile, Mahlomola Mohlomi , Mueletshedzi Moses Mubvafhi

This project explores federated fine-tuning as a pathway for collaborative AI development in the Global South. Using African-language sentiment classification as a case study, we simulate five language-specific nodes that train locally on AfriSenti data and share only model updates rather than raw text. The results show that parameter-efficient updates reduce communication cost by about 184×, and that adding more participating nodes improves mean validation accuracy before plateauing. However, the lowest-resource language remains poorly protected, showing that future systems need stronger privacy-preserving and language-aware aggregation methods.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Great work.!

Excellent framing of the dependency risk faced by Global South institutions. Using parameter-efficient updates (LoRA) to reduce communication overhead by approximately 184x is a highly practical approach for resource-constrained environments. To push this to the next level, incorporating secure aggregation or differential privacy will be necessary, as model updates can still leak information under certain attacks. Additionally, exploring personalized adapters could help address the persistent low-resource node performance gap seen with the Xitsonga language node.

A well-written and candid proof-of-concept for an important but currently under-explored challenge: collaborative model development using data-local models in the Global South. It identifies its own limitations clearly. Rather than overstating the benefits of q-FFL, the authors are upfront that it fails to protect the least-resourced node and that simply increasing participation does not resolve performance issues caused by resource constraints. That negative finding is genuinely useful.

Possible ways to improve it:

(1) Provide baseline numbers. For the three-class sentiment task, random or majority is roughly 0.33, while Xitsonga sits around 0.17, which is below chance, so it is unclear whether the federation learned anything about the lowest-resource language. Reporting a random or majority baseline and a centralized (non-federated) upper bound would put context around every result.

(2) Demonstrate statistical significance. Many reported effects (q-FFL's gains of roughly 0.01 to 0.02, and the worst-language trend from about 0.16 to 0.18) fall within the seed-to-seed variance. Paired t-tests or confidence intervals across the three seeds would separate real effects from measurement noise. Figure 2 also looks non-monotonic, so "a modest improvement" may be reading a pattern into noise.

(3) Refine the scope of the framing. State up front that this is an encoder-classification proxy, and treat large-scale generative or instruction tuning as future work (which you already mention).

(4) Present the full efficiency trade-off. The roughly 184x reduction in transmission size is mostly a consequence of sending only the LoRA adapters, so reporting any accuracy cost relative to sending full model updates would show how efficient the system truly is.

(5) Run a sensitivity analysis for q-FFL. You only report q = 2.0. A short sweep over different q values would show whether fairness weighting can ever help the worst-performing node, or whether the failure is inherent to this formulation.

Net: a clear, honest submission with a genuinely useful negative result; the main path to a stronger version is better baselines and significance testing so the currently small effects can be trusted.

Cite this work

@misc {

title={

(HckPrj) Towards Global South AI Sovereignty: A Federated Learning Framework for Collaborative LLM Development

},

author={

Phemelo Maile, Mahlomola Mohlomi , Mueletshedzi Moses Mubvafhi

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.