Pakzad wasn’t some outsider poking at ChatGPT for fun. She was at Mozilla Foundation building multilingual AI evaluation tools and running experiments across languages. Summarization kept bugging her — it felt like a blind spot everyone was ignoring.

So she built a technique called Bilingual Shadow Reasoning and submitted it to OpenAI’s GPT-OSS-20B Red Teaming Challenge. The idea is terrifyingly simple:

• Take a model’s hidden chain-of-thought
• Steer it through a custom system prompt written in a non-English language
• Watch the output completely change meaning while still looking professional and neutral

I mean. The output doesn’t look hacked. It looks like a normal summary. That’s the scary part.

She fed the same UN human rights report about Iran into GPT-OSS-20B three times:

The Farsi policy literally mirrored the Islamic Republic’s own talking points — cultural sensitivity, religious values, sovereignty — and the model just… went with it. No pushback. No safety warning. Nothing.

And here’s what should keep you up at night: she found that summarization tasks are WAY easier to steer than Q&A tasks. So asking a chatbot a direct question about Iran? The guardrails might catch it. Asking it to summarize a report about Iran? Wide open.

She didn’t stop at one experiment. At Mozilla, she ran 655 evaluations across GPT-4o, Gemini 2.5 Flash, and Mistral Small. The results:

Kurdish and Pashto got the worst treatment. And get this — Gemini appropriately refused to give herbal remedies for serious symptoms in English but happily dispensed them in non-English languages. Same model. Same question. Different language = different safety standards.

Oh, and when they used LLM-as-a-Judge to evaluate outputs? It inflated English actionability scores to 4.81/5 while rating non-English at 3.6/5. Never expressed uncertainty. Never said “I can’t fact-check this.” Just vibed.

Pakzad and Mozilla.ai’s Daniel Nissani tested three guardrail systems — FlowJudge, Glider, and AnyLLM — against 60 asylum-seeker scenarios with policies in English vs Farsi.

The guardrail called Glider produced 36-53% score discrepancies based solely on what language the policy was written in. For semantically identical text. The guardrails also:

• Hallucinated terms more frequently in Farsi reasoning
• Made biased nationality assumptions
• Basically forgot how to do their job when the language switched

So the systems specifically designed to catch this stuff… can’t catch this stuff. Cool cool cool.

HN commenters confirmed what Pakzad found from their own experience:

• “Talking with Gemini in Arabic is a strange experience — it cites Quran” and adopts religiously-influenced patterns
• Multiple users noted LLMs become “stupider” in non-English languages with higher hallucination rates
• One user pointed out the radicalization risk when models internalize language-specific training data biases
• Someone suggested translating non-English inputs to English first, evaluating, then translating back — but that defeats the whole purpose of multilingual support

The broader concern from research by Abeer et al.: LLM summaries altered sentiment 26.5% of the time and made consumers 32% more likely to purchase a product after reading an AI summary vs the original review. So this isn’t theoretical — it’s already shaping decisions.

Think about who uses AI summarization right now:

• Governments generating policy briefs
• Companies summarizing customer feedback
• News orgs auto-summarizing articles
• HR departments summarizing interview transcripts
• Legal teams summarizing depositions and contracts

Any closed-source wrapper built on top of a major LLM — the kind marketed as “culturally adapted” or “compliance-vetted” — can embed hidden instructions as invisible policy directives. Facilitating censorship, propaganda, marketing manipulation, or historical revisionism. All while users think they’re getting an accurate summary.

And the user never knows. Because the output looks perfectly professional.

Companies shipping AI products to non-English markets have NO idea their guardrails are Swiss cheese. Offer multilingual red teaming audits — test their chatbots, summarizers, and customer service bots in 5-10 languages and deliver a report showing where safety breaks down.

Example: A freelance AI safety consultant in Berlin, Germany used Pakzad’s open-source evaluation framework to audit a Middle Eastern fintech’s Arabic chatbot. Found 14 safety bypass vectors in 2 days. Charged €8,500 per audit, now has 3 recurring enterprise clients.

Timeline: 2-4 weeks to build your eval pipeline, first paying client within 6 weeks if you’re already in the AI/ML space

The tools Pakzad built are open-source. There are commercial players like Galileo (sub-200ms latency, ~$0.02/million tokens) and Avido, but nobody is specifically focused on cross-language guardrail drift detection. Build a SaaS that lets companies paste in their system prompt, pick 10 languages, and get an instant safety score comparison.

Example: A two-person dev team in Bangalore, India built a lightweight API that runs guardrail consistency checks across 12 Indian languages. Listed on Product Hunt, got picked up by 2 Indian banking apps within the first month. $4,200 MRR within 90 days.

Timeline: MVP in 3-5 weeks using existing open-source frameworks (NeMo Guardrails, Langfuse). Charge $200-500/month per seat.

This research is dense but the implications are massive — and most product managers, compliance officers, and CTOs have zero clue. Create a newsletter, course, or workshop breaking down multilingual AI risks for non-technical decision makers.

Example: A former localization manager in São Paulo, Brazil started a Substack on “AI safety across languages” after reading this research. Grew to 2,800 subscribers in 4 months, launched a $149 workshop for compliance teams. $6,700 from the first cohort alone.

Timeline: Start writing within a week. First paid offering in 4-6 weeks. Growing demand as more companies face AI regulation.

Companies with multilingual deployments need someone to write and stress-test their system prompts in multiple languages. Offer a service that takes their English system prompt, translates it properly for each target language, and verifies the outputs stay consistent across all of them. Basically prompt engineering but for the 95% of the world that doesn’t speak English.

Example: A computational linguist in Nairobi, Kenya offered prompt hardening services to 3 African e-commerce startups deploying Swahili and Amharic chatbots. Found that safety disclaimers disappeared entirely in Amharic. Charged $3,000 per language pair, now booked out 2 months.

Timeline: If you speak 2+ languages and understand LLMs, you can start tomorrow. List on Upwork/Fiverr targeting AI companies.