Fail-Closed Alignment for Large Language Models

We identify a structural weakness in current large language model (LLM) alignment: modern refusal mechanisms are fail-open. While existing approaches encode refusal behaviors across multiple latent features, suppressing a single dominant feature$-$via prompt-based jailbreaks$-$can cause alignment to collapse, leading to unsafe generation. Motivated by this, we propose fail-closed alignment as a design principle for robust LLM safety: refusal mechanisms should remain effective even under partial failures via redundant, independent causal pathways. We present a concrete instantiation of this principle: a progressive alignment framework that iteratively identifies and ablates previously learned refusal directions, forcing the model to reconstruct safety along new, independent subspaces. Across four jailbreak attacks, we achieve the strongest overall robustness while mitigating over-refusal and preserving generation quality, with small computational overhead. Our mechanistic analyses confirm that models trained with our method encode multiple, causally independent refusal directions that prompt-based jailbreaks cannot suppress simultaneously, providing empirical support for fail-closed alignment as a principled foundation for robust LLM safety.

Key Contributions

Identifies the 'fail-open' structural weakness in current LLM alignment: suppressing a single dominant refusal feature via prompt-based jailbreaks causes full alignment collapse
Proposes fail-closed alignment as a design principle — refusal mechanisms should remain effective under partial failures via redundant, independent causal pathways
Presents a progressive alignment framework that iteratively ablates learned refusal directions and forces the model to reconstruct safety in new, independent subspaces