Who Watches the Watchers? Governance Agency in AI Verification and Monitoring Regimes

Parveen Sheikh, Meenakshi Neeharika Mangipudi

As the world debates an "IAEA for AI," the conversation has focused on what to monitor and how, and has skipped the prior political question of who holds verification authority, who can contest it, and who carries its burden. This project argues that verification is not a neutral technical instrument but a structure that distributes power. We bring an interdisciplinary lens to the question, pairing a quantitative analysis of 128 historical arms-control agreements from the Alva Myrdal Centre database with a qualitative framework we call Governance Agency, built on three measured dimensions, Access, Recourse, and Burden, and two qualitative ones the data cannot capture, legitimacy and exit. We find that direct verification is rare, that recourse is the least-developed dimension, and that monitoring authority and compliance burden rise together while the power to challenge does not. Reading these patterns through history and power, and through the contrast between the NPT and the CWC, we show that asymmetric verification is not only unjust but unstable, because it makes defection rational. We argue that an inclusive verification regime, one that gives middle powers and the Global South real authority rather than tokenism, is necessary if humanity is to govern AI together.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This is ambitious, original work. You ask the deeper question of who holds the power to monitor and who just gets watched. Using two centuries of arms-control data to answer it is an innovative move, and the Access/Recourse/Burden framework you developed provides a reusable lens. By applying it to the Baker et al. proposal to show it would recreate the NPT imbalance almost exactly really stands out. My main reservation is how much weight the statistics can hold: your numbers count what rules appear in treaty texts, but the thesis is about power, that these systems are built by the strong to watch the weak, counting clauses can't show that. For example, a treaty between two equal rivals would look identical in your data to one between a dominant state and a subordinate one. What actually proves your point is the history, especially the NPT/CWC comparison; to your real credit you say this in the limitations, but the body prose still leans on the numbers with language like "proves" and "stark warning". The point I'd add, and where I'd push hardest, is the durability of the analogy itself: arms-control verification rests on physical, countable artifacts and decades of slowly-built trust and enforcement infrastructure that the AI case lacks, so the CWC's "symmetric design" may owe as much to its enforcement context as to design choices, the cleaner you can be about which features actually transfer to AI and which don't, the more the historical argument carries. The highest-value next step is the one you gesture at: re-code the agreements by major-power involvement, so the numbers can finally speak to the power distribution directly. Excellent, genuinely thought-provoking work.

This paper analyzes historic arms control agreements to develop a “Governance Agency Framework” for AI similar to the proposed “IAEA for AI.” They claim this verification mechanism must be designed around equitable distribution of power based on who has power/agency to influence the system itself to prevent centralization, and they evaluate the historical treaties’ “capacity of actors to participate meaningfully within verification systems through access to monitoring processes, institutional recourse mechanisms, and engagement with compliance structures.” It aims to understand the political structures behind treaty verification mechanisms, and be a pre-cursor to the technical “how” of implementation. This well-written paper offers a clear and well-explained presentation of the technical research conducted, and the results. The inclusion of two deep-dive case studies on the Treaty on the Non-Proliferation of Nuclear Weapons and the Chemical Weapons Convention gave additional illustrative color which could not be captured in the quantitative research findings.

While the aim to not “accept the asymmetry as fixed” is noble and altruistic, the paper lacks a practical answer on how to overcome the challenge of “convert[ing] national capacity into institutional authority within the design of global monitoring systems.” What regulatory leverage does the Global South have to influence the US and China to cede their competitive advantages? The paper provides a historical analysis which offers a diagnosis of the structural problem, but does not deliver an actionable policy framework. It would benefit from practical recommendations for strengthening Global South agency within a future AI treaty given the findings/results of the study. For example- given the low rate of formal verification mechanisms across historical arms-control agreements, how can modern technology be incorporated into treaty verification structures to allow for: remote monitoring instead of site visits; lower compliance burden for under-resourced states; or improving recourse and enforcement in a multilateral model without creating a dedicated agency like in the case of the OPCW for the CWC; or combating the “governance agency risks” laid out in the paper.

Suggestions:

• The critical link between the historical arms-control analysis and actual mapping of this onto technical AI monitoring implementations does not appear (briefly) until page 17 of 22. By truncating the "how" of implementation, the paper’s immediate impact on the field is limited. TO effectively make their case, the authors must include how the Global South can effectively operationalize the “capacity to actually inspect, verify, and define compliance.”

• Given the analysis on bilateral vs. multilateral agreements, it would be interesting to propose what a bilateral US-China AI treaty, or other bi-lateral combo in the global south would look like and how that would affect the broader ecosystem.

• The graphics/charts lack standalone utility- I recommend the authors rework the graphics so if someone saw just one chart without reading the whole paper, they could identify a central argument of the paper.

• The authors should highlight the arguments in the discussion section which are the key findings to support the claims in the introduction, and connect the research they conducted to their central argument. Answer this question clearly upfront- how does the data prove a historic disadvantage for the global south, and what does a potential opening for improved structures look like in the future based on the research conducted?

Cite this work

@misc {

title={

(HckPrj) Who Watches the Watchers? Governance Agency in AI Verification and Monitoring Regimes

},

author={

Parveen Sheikh, Meenakshi Neeharika Mangipudi

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.