We Are Convinced That Persuasion Is Linear And Bilingual In LLMs

Ivan Yuri De Leon, Arnel Malubay

As LLM chatbots become a primary source of consequential advice, their persuasive power carries growing societal risk. We ask whether persuasion is a structured internal property of LLMs, rather than an artifact of prompt wording, drawing on Zeng et al.'s taxonomy of persuasion techniques [6]. Using diff-of-means activation analysis, we find five techniques converge on a single linear direction (minimum pairwise cosine similarity 0.77), causally sufficient to increase judged persuasiveness via activation steering (44.4→51.3 mean score), generalizing with attenuation to held-out high-stakes content. We further test causal cross-lingual transfer between English and Tagalog, finding both directions increase persuasiveness with highly similar underlying representations (0.66 average cosine similarity). We ground this in the Philippines, a consumer state with high AI adoption and disproportionate exposure to persuasion risk.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The application of activation steering to a low-resource language (Tagalog) and the exploration of cross-lingual transfer are both timely and relevant to AI safety, particularly given growing concerns around AI-enabled persuasion.

The project would be strengthened by:

- Eliminating the acknowledged length and lexical confounds through carefully controlled persuasive/neutral datasets before attributing the direction specifically to persuasion.

Evaluating naturally occurring persuasive text rather than predominantly synthetic examples to improve ecological validity.

- Exploring defensive applications (e.g., suppression or detection of persuasion directions), which would strengthen the project's direct contribution to AI safety beyond demonstrating the capability.

The core finding — five independently constructed persuasion techniques converge on a single shared direction in activation space — is clean and well-presented, with minimum pairwise cosine similarity of 0.77 in English and 0.81 in Tagalog. The in-distribution steering effect (44.4→51.3, non-overlapping CIs) establishes causal sufficiency within distribution. The Philippines motivation is well-grounded in real adoption statistics, and the OOD held-out design is a sensible choice.

The length and lexical confound is the critical unresolved issue. Persuasive examples are longer, citation-rich paragraphs; neutral examples are short standalone sentences. The extracted direction may be capturing "verbose, structured response" rather than persuasion as an abstract concept — the qualitative examples in Appendix A6 make this concrete, where steered responses are visibly longer with more headers, bullet points, and bold formatting. Until length-matched pairs are constructed and the direction re-extracted, it is not possible to know whether the paper has found a persuasion direction or a length and style direction. This is the top priority for any follow-up.

The cross-lingual asymmetry needs a cleaner judge. The finding that the Tagalog-derived direction works better on English (Δ=+7.9, CIs separated) than the English-derived direction works on Tagalog (Δ=+3.9, marginal) is interesting, but a single GPT-4o-mini judge with no language calibration is a plausible alternative explanation — an English-language judge systematically rewarding English fluency markers would produce exactly this pattern. A calibrated bilingual or Tagalog-language judge would disentangle this.

Replicate on at least one additional model. All results come from one model. Cross-model replication is the standard check for whether a found direction reflects a general property of persuasion or an artifact of this specific model's training.

A LLM-judge persuasion score does not do justice to the actual capability that we should be tracking i.e. actual humans changing beliefs, behaviour be it in consumer, voting, where they allocate their time or attention. For sure this is way more ambitious but I would be excited about an extension where AI tries to engage with CMV style subreddits and Twitter community notes and move people's stated positions in issues where they have clear stakes.

Even more ambitious would be to do follow up studies and track actual behaviour change. Like this can be via AI generated content, click through rate, how many brands are getting actual constumers from AI generated ads, that are targeting that demographic, what about donations to cause. More than AI generated images that give an uncanny effect what matters is the framing, choice of words and if that A/B test reveals increasing ability to gather human attention and care. (use archived data observationally don't deploy AI on humans without consent ofc)

This would be a valuable benchmark so that policy makers realise what an adversarial memetic environment the internet can become once open source models have these capabilities and bots start using them against everyone.

This work as it stands is showcasing the threat vector available to actors with white box access to make models super persuasive and the multilingual aspects seem valuable as a warning shot for AI safety evaluators/governance folks.

More work is needed before we can be sure the linear direction is not just picking up aspects like verbosity, confidence, assertiveness, authority language, direct recommendation style, evidential framing, etc

Cite this work

@misc {

title={

(HckPrj) We Are Convinced That Persuasion Is Linear And Bilingual In LLMs

},

author={

Ivan Yuri De Leon, Arnel Malubay

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.