Ufakazi

Kevin Brand, Racquel Dennison

Ufakazi is an evaluation harness built to determine whether models are unfairly biased towards trusting testimonies presented in high-resource languages (specifically English). By controlling for confounders, we isolate the language bias of various current generation LLMs and show that they often unfairly discriminate against marginalised and underrepresented communities.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

## Strengths

This is an important finding, demonstrated well. LLMs are already being deployed in legal settings, so a credibility bias that tracks the language a testimony is written in is a concrete, high-stakes risk rather than a hypothetical one. The work shows that 7 of 9 models systematically prefer English testimony over evidentially-balanced testimony in Afrikaans, isiZulu, or isiXhosa, and that the effect deepens as the language gets lower-resourced.

The strongest contribution is the effort to isolate language discrimination as the sole cause. The design holds the content and the answer position fixed and varies only the language, with same-language controls to confirm the setup is neutral before trusting the cross-language numbers. The team then closes off the obvious alternative explanations: a human-versus-machine translation provenance check, a verbosity and length check, and a Gemma scale ladder. The rationale analysis is a standout, because the models often name the language of the testimony as their reason, which turns a statistical signal into interpretable evidence.

## Weaknesses

The finding is important, but its impact has a ceiling. It demonstrates a risk in one deployment context rather than mitigating it or opening a broad new direction, which keeps it at significant rather than exceptional. The scope is also bounded by the data. The scenario set is small, so some confidence intervals are wide and the results are indicative rather than conclusive on the most uncertain cells. The two models closest to the frontier did not show the bias, and the paper does not yet establish why, which leaves the most decision-relevant question open.

## Recommendations for the authors

This is strong, well-executed work, and a few extensions would turn it into a full paper. First, **expand the scenario set so the confidence intervals can be computed reliably**, which would move the borderline results from indicative to conclusive. Second, **evaluate the frontier models directly**. The signal that the strongest models may not share the bias is the most important open question, and a full version needs to establish whether that holds. If it does, you can give legal practitioners a concrete, evidence-based recommendation: that weaker models cannot be trusted for high-stakes testimonial work, and which classes of model are safer to deploy.

The findings in this project carry clear implications and the authors can be commended for the problem they have identified. I did however find the explanation quite lengthy and perhaps a bit too technical / over-explained - the introduction was clear and then it became difficult to follow until 'The bias is in the reasoning, not only the choice...' (page 9). It certainly is something that courts should be aware of in relying on LLMs to assist with witness testimonies (or any documentation referred to the court in a language other than English). Well thought out.

The project is well-executed and addresses an important problem. However, there are two notable limitations:

- The evaluation is based on general-purpose language models rather than models specifically designed or fine-tuned for legal tasks, limiting the strength of the conclusions about legal reasoning.

- The paper does not attempt to characterize the likely distribution of the models' training data across languages or regions. While frontier model developers do not disclose their training data composition, it is reasonable to expect these datasets to be heavily skewed toward high-resource languages. This makes it difficult to determine whether the observed biases are inherent to the models or primarily a consequence of underlying data imbalances.

Cite this work

@misc {

title={

(HckPrj) Ufakazi

},

author={

Kevin Brand, Racquel Dennison

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.