WEST-CENTRAL ASIA AI SAFETY INSTITUTE (AISI) BLUEPRINT: A Socio-Technical Feasibility Framework and Deployment Compliance Sandbox

Ammara Durrani

Current Global South AI safety discourse systematically excludes West-Central Asian countries, leaving a critical geopolitical swing region operating in a governance vacuum. This paper introduces the West-Central Asia AI Safety Institute (AISI) Blueprint, a macro-institutional feasibility framework tailored for resource-constrained middle powers in this pivotal region navigating U.S.-China tech competition. Adapting Singapore’s 2C1D strategic framework, the blueprint shifts the governance paradigm from exclusionary upstream frontier capability training caps toward localized, edge-layer deployment-side defense while establishing a critical interface with international AI governance regimes. To demonstrate immediate operational utility, the framework integrates a functional U.S.-China AI-Biosecurity trade compliance artifact: the BioExport Navigator Compliance Sandbox (Module 1). This module automates multi-jurisdictional trade and dual-use compliance auditing for localized Small Language Models (SLMs). By replacing subjective multi-LLM cloud consensus with deterministic open-source evaluators (Promptfoo and PolyGuard), this socio-technical architecture provides West-Central Asian middle powers an actionable path toward verifiably safe model deployment, digital sovereignty, and agency to navigate great power AI competition.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Well done, you stand apart with the regional lens. Mapping West-Central Asia as a distinct, neglected vacuum with its own compute, linguistic, and kinetic risk profile is a genuinely valuable framing. Documenting the discarded multi-LLM approach and the candid limitations section are both real strengths. My greatest challenge was in reviewing the data and empirical claims when most of the evidence was withheld due to hazard and safety risks. The presentation compounds this in places such as the readiness indices are labelled a "conceptual model" in the figure but described as proof in the text, so tightening where modelled estimates are spoken of as findings would sharpen the whole paper. The highest-value fix is to make some of the data inspectable: even a small sanitized slice, a handful of example prompts, and the contingency table behind the McNemar's test. If the info-hazard designation does not allow this then reframe the numbers as a demonstration on a closed set rather than established findings, and lead with the framework, which is strong on its own

The technical research is innovative and robust with interesting and immediately implementable findings. They recommend an immediately useful and implementable solution for deployment-side defense in under-resourced, middle-power states. Their approach is two-fold: a macro-level Institutional Readiness Scorecard evaluating a middle power’s structural capacity to deploy an AI Safety Institute focused on localized, low-compute solutions; and a compliance tool to audit edge model deployments. The tool utilizes an open-source evaluation toolkit and a multilingual safety classifier to audit model responses and jailbreaks. It uses a past project, the “BioExport Navigator: A Decision-Support Tool for U.S.- China AI-Biosecurity Trade Compliance” as a case study. It clearly defines three potential catastrophic risks of AI in select West and Central Asian countries, and three distinct threat models or potential failure points relevant for the region. It also showcases institutional capacity for three specific countries. The limitations section provides a clear overview of pathways for potential pathways to strengthen the research post-hackathon.

The “Negative Results: What Did Not Work” section provided valuable evidence to support the authors argument that model response failure rates and safety breakdowns were more frequent in local languages and when referencing export control countries.

The most impactful and data-driven central arguments/thesis/key findings are buried. They need to be summarized and presented upfront in an executive summary:

• “The massive 46.3% accuracy gap in multilingual jailbreak detection proves that frontier cloud models experience severe alignment decay outside Western and East Asian language streams”

• “the West-Central Asian corridor is exposed to unmonitored dual-use proliferation”

• “Our empirical findings demonstrate that replacing fragile, cloud-dependent multi-LLM consensus with deterministic, local open-source evaluators (Promptfoo and PolyGuard) eliminates a 14.5% API call failure rate, accelerates evaluation speeds by 14x, and restores multilingual jailbreak detection accuracy in regional scripts like Urdu and Pashto by +46.3% (p < 0.0001). By housing our peerreviewed, expanded BioExport Navigator Compliance Sandbox (Module 1) within a structured national safety organ, under-resourced states can protect their digital borders from automated biosecurity exploits, malicious edge fine-tuning, and cross-border alignment drift”

• “By automatically treating regional West Asian scripts and geographic 16 location nodes as inherently high-risk anomalies, current state-of-the-art architectures enforce a form of digital algorithmic colonialism that erases under-resourced middle powers from the safety ecosystem. This empirical double-failure confirms that West-Central Asian nations cannot outsource safety verification to Western or East Asian cloud APIs, underscoring the urgent national security mandate to deploy self-hosted, deterministic, and open-source evaluation sandboxes (Promptfoo/PolyGuard) running entirely on air-gapped local edge hardware.”

I wish the paper included actionable recommendations for policymakers to implement the sandbox approach, maybe in a separate recommendations section. I’m unclear how incorporating this compliance sandbox into national organs actually prevents the use of open-weight models for risky use cases in terms of enforcement? In the case of jailbreaks, who is responsible for auditing deployments, catching violations, and reporting them to developers to patch? Would the govt be responsible for identifying jailbreaks and reporting to the model developers to patch? Or are the authors proposing a mandatory compliance certification that forces developers to natively incorporate multilingual support before entering the local market?

The paper seems to rely heavily on LLM generated writing. It provides lots of useful details and insights, but is overly “wordy” and lacks concise clarity and structure that enhances readability.

Figures 2-5 are overly dense and text-heavy for data visualization. They try to communicate too much information simultaneously, making them ineffective as communication tools.

Cite this work

@misc {

title={

(HckPrj) WEST-CENTRAL ASIA AI SAFETY INSTITUTE (AISI) BLUEPRINT: A Socio-Technical Feasibility Framework and Deployment Compliance Sandbox

},

author={

Ammara Durrani

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.