When Language Models Go Wrong: Mapping the Paths to Failure

by

Author: Denis Avetisyan

New research reveals that the ways large language models stumble aren’t random, but instead follow predictable patterns within a complex ‘manifold of failure’.

Attraction basin analysis reveals a stark divergence in model behavior, with Llama-3-8B exhibiting attraction basins in 93.9% of the explored parameter space, GPT-OSS-20B displaying a more fragmented 64.3%, and GPT-5-Mini demonstrating a complete absence of attraction, suggesting a fundamental difference in their capacity to converge on stable solutions.
Attraction basin analysis reveals a stark divergence in model behavior, with Llama-3-8B exhibiting attraction basins in 93.9% of the explored parameter space, GPT-OSS-20B displaying a more fragmented 64.3%, and GPT-5-Mini demonstrating a complete absence of attraction, suggesting a fundamental difference in their capacity to converge on stable solutions.

This work introduces a Quality-Diversity approach using MAP-Elites to characterize and visualize the behavioral topology of failure modes in large language models.

While current approaches to AI safety largely focus on correcting problematic outputs, a comprehensive understanding requires characterizing the vulnerabilities themselves. This paper, ‘Manifold of Failure: Behavioral Attraction Basins in Language Models’, introduces a framework for systematically mapping these unsafe regions in Large Language Models (LLMs) using quality-diversity optimization. By revealing structured ‘attraction basins’ of failure-rather than isolated incidents-we demonstrate distinct behavioral topologies across models like Llama-3-8B, GPT-OSS-20B, and GPT-5-Mini, achieving up to 63% behavioral coverage. Can this approach to visualizing the safety landscape ultimately enable the development of more robust and predictably aligned LLMs?

The Illusion of Safety: Mapping the Limits of LLM Alignment

Even with substantial progress in their development, Large Language Models (LLMs) continue to demonstrate unexpected and potentially harmful failures in safety protocols. These unpredictable breakdowns aren’t simply edge cases; they represent a fundamental challenge in aligning artificial intelligence with human values and expectations. Consequently, the field urgently requires evaluation methods that move beyond superficial testing and delve into the complex behavioral patterns of these models. Current approaches often fail to identify critical vulnerabilities, leaving systems susceptible to generating biased, misleading, or even dangerous outputs. The need for robust evaluation isn’t merely academic; it’s essential for responsible deployment and public trust, demanding a shift towards more comprehensive and rigorous assessment frameworks that can proactively uncover and mitigate potential risks.

Current methods for assessing the safety of Large Language Models often fall short due to their limited scope, effectively charting only a small fraction of the potential ‘Behavioral Space’ – the full range of possible inputs and resulting outputs. These benchmarks, while useful for initial testing, frequently fail to uncover subtle yet critical vulnerabilities that emerge when models encounter unexpected or adversarial prompts. This limited coverage creates a false sense of security, as LLMs can perform well on standard tests while still exhibiting dangerous or undesirable behaviors in real-world scenarios. The vastness of the Behavioral Space, coupled with the increasing complexity of these models, necessitates the development of more comprehensive and robust evaluation strategies to truly understand and mitigate potential risks.

Assessing the safety of Large Language Models demands more than qualitative observation; a quantifiable metric is crucial for pinpointing vulnerabilities. Researchers have introduced ‘Alignment Deviation’ (AD) as a precise measure of how far an LLM’s response strays from expected safe behavior. This metric allows for systematic evaluation across a wide range of prompts and scenarios, moving beyond subjective assessments. Initial studies utilizing this metric reveal that ‘Llama-3-8B’ currently exhibits a mean AD of 0.93, a figure indicating a substantial divergence from desired safe responses and highlighting a significant vulnerability that warrants further investigation and mitigation strategies. This high AD score underscores the need for continuous monitoring and refinement of these models to ensure responsible AI development.

Behavioral heatmaps reveal that Llama-3-8B is broadly vulnerable at an attack direction (<span class="katex-eq" data-katex-display="false">AD \approx 1.0</span>), GPT-OSS-20B exhibits localized vulnerabilities at low attack directions, and GPT-5-Mini maintains consistently moderate deviation capped at <span class="katex-eq" data-katex-display="false">AD = 0.50</span>.
Behavioral heatmaps reveal that Llama-3-8B is broadly vulnerable at an attack direction (AD \approx 1.0), GPT-OSS-20B exhibits localized vulnerabilities at low attack directions, and GPT-5-Mini maintains consistently moderate deviation capped at AD = 0.50.

Exploring the Manifold of Failure: A Quality-Diversity Approach

MAP-Elites, or Multiobjective Pareto Archive Evolution Strategies, is a quality-diversity optimization algorithm that differs from traditional optimization methods by explicitly maintaining a diverse archive of solutions rather than converging on a single optimum. Instead of solely maximizing a performance metric, MAP-Elites evaluates solutions based on multiple objectives, creating a ‘Behavioral Space’ defined by these objectives. Solutions are then archived based on their position within this space, prioritizing both high performance and diversity. This approach allows for the identification of multiple, potentially useful solutions across the entire behavioral landscape, rather than becoming trapped in local optima, and is particularly suited for exploring complex solution spaces where a single best solution may not exist or be desirable.

Mapping the ‘Manifold of Failure’ involves characterizing LLM vulnerabilities not as isolated incidents, but as points within a continuous, structured space. This approach reveals that unsafe behaviors are not randomly distributed; instead, they cluster in specific regions of the input space, indicating underlying patterns and sensitivities. By systematically exploring the space of possible prompts and categorizing resultant failures, we generate a landscape where proximity in this space correlates with similar failure modes. This allows for the identification of concentrated areas of vulnerability, enabling targeted analysis and mitigation strategies beyond simply addressing individual problematic prompts.

Prompt generation within the MAP-Elites framework employs mutation strategies to efficiently traverse the solution space. ‘Adversarial Suffix’ involves appending potentially harmful or triggering phrases to base prompts, systematically testing for vulnerabilities. ‘Semantic Interpolation’ creates new prompts by calculating weighted averages of the embedding vectors of existing prompts, generating variations that maintain semantic similarity but differ in phrasing. These techniques, applied iteratively, produce a diverse set of prompts enabling comprehensive exploration of the model’s behavioral space and identification of failure modes without requiring manual prompt engineering.

Analysis of alignment desirability (AD) across behavioral space reveals that authority framing is a critical parameter for all models, with Llama-3-8B exhibiting narrow safe corridors, GPT-OSS-20B displaying localized bullseye patterns, and GPT-5-Mini showing compressed contours within a limited <span class="katex-eq" data-katex-display="false">AD</span> range of 0.39-0.50.
Analysis of alignment desirability (AD) across behavioral space reveals that authority framing is a critical parameter for all models, with Llama-3-8B exhibiting narrow safe corridors, GPT-OSS-20B displaying localized bullseye patterns, and GPT-5-Mini showing compressed contours within a limited AD range of 0.39-0.50.

Dissecting Model Behavior: From Fragile Systems to Limited Failures

Application of the MAP-Elites algorithm to the Llama-3-8B large language model identified vulnerabilities across nearly all tested behavioral niches, resulting in a ‘Basin Rate’ of 93.9%. This metric indicates that approximately 93.9% of the explored behavioral space resulted in undesirable or unsafe outputs. The high Basin Rate suggests a systemic lack of robustness in Llama-3-8B’s safety mechanisms and a broad susceptibility to adversarial prompts or unexpected inputs. The near-universal vulnerability surface implies that even small perturbations in input can readily lead to misaligned or harmful responses, highlighting a significant risk profile for this model.

Analysis of ‘GPT-OSS-20B’ using MAP-Elites revealed a pattern of ‘Behavioral Attraction Basins’ that were both fragmented and spatially concentrated. This indicates that vulnerabilities within the model are not broadly distributed across its behavioral space, but rather clustered in specific regions. The observed ‘Basin Rate’ of 64.3% signifies that approximately 64.3% of explored behavioral states resulted in undesirable model outputs, confirming the presence of localized vulnerability concentrations rather than systemic safety failures as observed in other models.

Analysis of ‘GPT-5-Mini’ using MAP-Elites revealed a definitive limit on ‘Alignment Deviation’ (AD), peaking at 0.50, which indicates a high degree of safety and predictable behavior. Crucially, the model exhibited a ‘Basin Rate’ of 0%, signifying the complete absence of exploitable vulnerabilities within the tested parameter space. This outcome suggests a substantially reduced ‘Manifold of Failure’ compared to other models, implying that ‘GPT-5-Mini’ is less susceptible to generating unsafe or undesirable outputs across a broad range of prompts and conditions.

Alignment Deviation varies significantly across the behavioral space for different language models, exhibiting a high mesa for Llama-3-8B, rugged terrain for GPT-OSS-20B, and a flat plateau with spikes for GPT-5-Mini.
Alignment Deviation varies significantly across the behavioral space for different language models, exhibiting a high mesa for Llama-3-8B, rugged terrain for GPT-OSS-20B, and a flat plateau with spikes for GPT-5-Mini.

Predictive Modeling and Enhanced Exploration: Chasing Shadows in the Behavioral Space

To efficiently identify weaknesses in large language models, a predictive modeling approach leveraging Gaussian Processes is employed to map the ‘Behavioral Space’ and anticipate ‘Alignment Deviation’ in areas yet to be tested. This technique doesn’t rely on random probing; instead, it builds a probabilistic model to estimate where the model is most likely to fail, effectively charting the ‘Manifold of Failure’ before direct assessment. By predicting potential vulnerabilities, the system intelligently directs exploration towards critical regions, maximizing the information gained from each test and allowing for a focused search for prompt inputs that elicit undesirable responses. This targeted strategy significantly improves the efficiency of vulnerability discovery compared to purely random sampling methods.

A focused exploration strategy, leveraging predictive modeling, demonstrably enhances the assessment of large language model vulnerabilities. Utilizing Llama-3-8B, this approach achieves 63.04% behavioral coverage – a significant improvement over the efficiency of random sampling techniques. This heightened coverage allows for a more complete mapping of the ‘Manifold of Failure’, effectively identifying a wider range of problematic inputs and response patterns. By concentrating testing on areas predicted to induce misalignment, researchers can efficiently pinpoint critical weaknesses and build more robust defenses against adversarial prompts, ultimately leading to safer and more reliable AI systems.

Detailed analysis of prompt characteristics reveals that certain linguistic dimensions significantly amplify vulnerabilities in large language models. Specifically, techniques like ‘Query Indirection’ – where prompts obscure the intended task through layered questioning – and ‘Authority Framing’ – which leverages perceived expertise to encourage specific responses – consistently exacerbate failure rates. These aren’t simply stylistic choices; they represent core mechanisms through which prompts can bypass internal safety measures and elicit undesirable outputs. Understanding how these characteristics interact with the model’s architecture provides crucial insights into the ‘Manifold of Failure’, enabling the development of more robust defense strategies and improved alignment techniques to mitigate risks associated with adversarial prompting.

Across 15,000 iterations, Llama-3-8B demonstrated sustained improvement in coverage, diversity, and quality, while GPT-OSS-20B plateaued early with moderate quality, and GPT-5-Mini achieved high coverage but remained deficient in diversity and capped in quality at <span class="katex-eq" data-katex-display="false">0.50</span>.
Across 15,000 iterations, Llama-3-8B demonstrated sustained improvement in coverage, diversity, and quality, while GPT-OSS-20B plateaued early with moderate quality, and GPT-5-Mini achieved high coverage but remained deficient in diversity and capped in quality at 0.50.

The pursuit of robust language models often feels like building castles on sand. This work, detailing the ‘Manifold of Failure,’ merely formalizes what most practitioners already suspect: failure isn’t random, it’s structured. The discovery of distinct behavioral topologies across models isn’t surprising; each system will inevitably find novel ways to disappoint. As John McCarthy observed, “It is better to deal with reality than to try to fit it into a preconceived framework.” This paper doesn’t eliminate the looming issues of alignment deviation, but it offers a map of the minefield, acknowledging that even the most elegant Quality-Diversity algorithms will eventually encounter production’s unique brand of chaos. Tests remain, as ever, a form of faith, not certainty.

What’s Next?

This mapping of failure ‘manifolds’ feels less like a solution and more like a particularly elegant way to catalog the inevitable. The authors demonstrate structured vulnerabilities, behavioral topologies-fancy names for the ways these systems consistently hallucinate, contradict themselves, or simply refuse to answer. It’s comforting, in a bleak way, to know the chaos isn’t entirely random. Still, identifying the shape of the mess doesn’t prevent it from occurring. If a system crashes consistently, at least it’s predictable.

The real challenge lies beyond charting these basins of attraction. Quality-Diversity algorithms are clever, but scaling them to truly enormous models feels… optimistic. And while different models exhibit different topologies, the underlying problem-the fragility of statistical correlation-persists. ‘Cloud-native’ alignment, anyone? It’s the same mess, just more expensive. Future work will undoubtedly focus on interventions – nudging these landscapes, building moats around safe behavior.

Perhaps the most honest outcome of this research won’t be safer LLMs, but a better understanding of how little we truly control. We don’t write code – we leave notes for digital archaeologists, hoping they can decipher why we built these magnificent, flawed contraptions. The map is not the territory, and this manifold of failure is a very large, very complex territory indeed.

Original article: https://arxiv.org/pdf/2602.22291.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-02-27 17:45