Fail-Closed Governance
In adaptive systems, errors in the control layer must not silently become approval. Fail-closed governance means uncertainty denies or pauses the action until independent review succeeds.
Fail-open hazards
Fail-open behavior appears when evaluator outages skip tests, missing metadata defaults to trusted, hidden-test failures are ignored, signature checks are soft warnings, or canary monitors are disabled during release pressure.
Fail-closed design
A fail-closed control plane denies promotion when provenance is missing, halts composition when a dependency is unsigned, freezes aliases during evaluator disagreement, blocks memory consolidation during incident review, and prevents tool-permission expansion without a separate approval record.
Organizational requirement
Fail-closed controls only work if operators are allowed to tolerate delay. A culture that punishes rollback or no-op will pressure the system toward fail-open workarounds.