When the Safety Circuit Doesn't Speak Igbo: Asymmetric Cross-Lingual Transfer of Harm Representations in Qwen2.5-1.5B-Instruct

Chijioke Ubajaka

I test whether the difference-of-means "harm direction" that mediates refusal in Qwen2.5-1.5B-Instruct transfers from English to Igbo (~45M speakers, Nigeria). Using a 50-pair matched English-Igbo benchmark, I measure per-layer geometric overlap, cross-lingual AUROC transfer (with bootstrap CIs against same-language ceilings), and causal directional ablation during generation. I find a sharp asymmetry: the English-derived harm direction is at chance for Igbo at every layer and, when ablated at its point of peak geometric overlap, leaves Igbo refusal completely unchanged (12/12 baseline vs. 12/12 ablated) , while the Igbo-derived direction surprisingly transfers near-perfectly onto English. I also find that many baseline Igbo refusals read as generic comprehension failures rather than targeted, intent-aware refusals, suggesting low-resource-language safety may currently be accidental rather than designed.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is careful, methodologically honest work on a genuinely neglected problem. The three-way distinction geometric overlap, behavioral transfer (AUROC), and causal effect is exactly the right framework for asking whether a safety circuit actually transfers across languages, rather than just correlates. The causal ablation at the layer of peak cosine overlap showing zero change in refusal rate (12/12 → 12/12) is a clean null result, and the author does not oversell it. The observation that a large share of "safe" Igbo refusals appear to be generic comprehension failures rather than intent-aware declines is the most practically important finding in the paper it suggests that a high surface refusal rate in a low-resource language can be deeply misleading as a safety signal.

The main limitations are ones the author acknowledges clearly: a single model at 1.5B, n=50 pairs, unaudited translations in the reported run, and ablation only at one layer. The IG→EN asymmetry (AUROC ≈ 0.99 despite a weak IG→IG ceiling) is flagged as puzzling and the most likely explanation that d_ig is capturing a broad topic signal that happens to align with the well-separated English subspace is plausible but untested. The complementary causal test (ablate d_ig, measure English refusal change) would go a long way toward resolving this. One practical suggestion: the comprehension-failure refusal pattern deserves its own short analysis rather than appearing only in the discussion even a few example transcripts would help readers appreciate the distinction between "model refuses in Igbo" and "model fails to parse Igbo." Overall this is a strong contribution for a hackathon setting and a clear template for extending to Yoruba, Hausa, and other Nigerian languages.

I see this study as providing highly preliminary results awaiting validation, but would be very meaningful if true. The potential topic-level signal confounder should be highlighted in the abstract, to calibrate the strength of the results. If both the topic-level signal confounder and the Igbo pseudo-refusal problems can be ruled out as explanations of the asymmetry (which imo is unlikely), one explanation may be that LMs process low-resource languages by internally "translating" them to high-resource languages, so directions in the former generalizes to the latter but not vice versa.

4 / 4 / 5

Very strong project. The idea is original and the results are clear, but it only tests one model and a small Igbo dataset.

Really clear writeup. Methodology is correct, however it seems like the projection asymmetry may be due to a model failure mode rather than from an actual knowledge gap in the model across languages. Could be interesting to try with other languages or models to determine whether this failure mode is actually the cause of the asymmetry or there's a foundational reason in the model knowledge for it.

Cite this work

@misc {

title={

(HckPrj) When the Safety Circuit Doesn't Speak Igbo: Asymmetric Cross-Lingual Transfer of Harm Representations in Qwen2.5-1.5B-Instruct

},

author={

Chijioke Ubajaka

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.