Semantic Gravity Wells: Why Negative Constraints Backfire

Abstract: Negative constraints (instructions of the form "do not use word X") represent a fundamental test of instruction-following capability in LLMs. Despite their apparent simplicity, these constraints fail with striking regularity, and the conditions governing failure have remained poorly understood. This paper presents the first comprehensive mechanistic investigation of negative instruction failure. We introduce semantic pressure, a quantitative measure of the model's intrinsic probability of generating the forbidden token, and demonstrate that violation probability follows a tight logistic relationship with pressure ($p=σ(-2.40+2.27\cdot P_0)$; $n=40{,}000$ samples; bootstrap $95%$ CI for slope: $[2.21,,2.33]$). Through layer-wise analysis using the logit lens technique, we establish that the suppression signal induced by negative instructions is present but systematically weaker in failures: the instruction reduces target probability by only 5.2 percentage points in failures versus 22.8 points in successes -- a $4.4\times$ asymmetry. We trace this asymmetry to two mechanistically distinct failure modes. In priming failure (87.5% of violations), the instruction's explicit mention of the forbidden word paradoxically activates rather than suppresses the target representation. In override failure (12.5%), late-layer feed-forward networks generate contributions of $+0.39$ toward the target probability -- nearly $4\times$ larger than in successes -- overwhelming earlier suppression signals. Activation patching confirms that layers 23--27 are causally responsible: replacing these layers' activations flips the sign of constraint effects. These findings reveal a fundamental tension in negative constraint design: the very act of naming a forbidden word primes the model to produce it.

• The paper demonstrates that negative constraints fail because of inherent semantic pressure, quantitatively linked via a logistic model that explains 78% of the variance.
• It reveals that failures exhibit a 4.4× weaker suppression where attention focuses more on the forbidden token and late-layer FFN contributions override negation signals.
• Activation patching confirms that late transformer layers (23–27) causally drive surges in target probability, effectively bypassing negative instruction cues.

Mechanistic Analysis of Negative Constraint Failure in LLMs

Introduction

The paper "Semantic Gravity Wells: Why Negative Constraints Backfire" (2601.08070) delivers a rigorous mechanistic exploration into why LLMs regularly fail to comply with negative constraints—i.e., instructions of the form “do not use word X.” By bridging systematic behavioral characterization with deep interpretability, the study traces failure not to generic comprehension deficits but to competitive computational forces within transformer networks. The analysis centers on Qwen2.5-7B-Instruct, leveraging open weights for granular investigation, but the findings have implications for broader model classes and practical deployment.

Semantic Pressure: Quantifying Predictable Failure

Central to the paper is the formalization of semantic pressure: $P_0$, the baseline probability that the model generates the forbidden token $X$ in response to a prompt, absent any constraints. The observed violation rate under negative instruction correlates tightly with $P_0$ via a logistic relationship, described by:

$$p(\text{violation}) = \sigma(-2.40 + 2.27 \cdot P_0)$$

This fit explains 78% of variance in violation rates (Figure 1).

Figure 1: Violation rate increases monotonically with semantic pressure; logistic fit explains 78% of variance ($R^2 = 0.78$), with failure rate exceeding 46% at $P_0 = 0.9$.

This result substantiates that failures are lawful, not random: baseline pressure largely dictates when negative instructions will fail, providing an actionable predictive criterion for model deployment.

Asymmetric Suppression and Distinct Failure Modes

Despite some suppression of target probability upon negative instruction, failure cases distinguish themselves via a marked asymmetry: suppression is $4.4\times$ weaker in failures ($\Delta P = 0.052$) relative to successes ($\Delta P = 0.228$).

Figure 2: Mean suppression of target probability by negative instruction is much weaker in failures (5.2 points) than in successes (22.8 points), a $4.4\times$ difference.

Attention analysis reveals that failure cases disproportionately route focus toward the instruction's mention of $X$, rather than the negation cue "do not," signifying a priming effect. At higher semantic pressure, this attentional misalignment intensifies, with failures consistently showing elevated focus on the forbidden word.

Figure 3: Failure cases attend more to the target mention and less to the negation cue, indicating the forbidden word acts as a prime rather than a constraint.

Layerwise Dynamics: Activation and Override

Applying the logit lens across transformer layers uncovers three computational regimes:

• Early layers ($0\text{--}20$): negligible probability assigned to the target.
• Critical late layers ($21\text{--}27$): probability of the forbidden word explosively diverges in failure cases.
• Final layer: baseline/failure outputs approach 0.71 target probability, success/negative instruction remains suppressed at 0.08.

  Figure 4: Target probability surges in late layers for failures, suggesting decision-making is deferred and concentrated in upper transformer blocks.

Decomposition of self-attention and FFN reveals that:

• Attention suppresses target probability, but this suppression is overwhelmed by FFN contributions in late layers.
• In failures, FFN push at layer 27 is $+0.39$ (vs. $+0.10$ in successes), while attention’s suppression is not sufficient to offset the override.

  Figure 5: Late-layer FFNs consistently promote target generation, with their output nearly $4\times$ stronger in failures—often overpowering attention-driven suppression.

Causal Validation via Activation Patching

Patching activations from baseline (unconstrained) conditions into negative instruction runs enables causal attribution. In layers 24–27, patched activations increase target probability, indicating these layers are not only correlated but necessary for constraint failure.

Figure 6: Activation patching pinpoints causal responsibility to layers 23–27; in these layers, baseline activations drive up target probability, overriding negative constraints.

Taxonomy and Practical Implications

Two failure modes emerge:

• Priming failure (87.5%): Negatively constrained instructions mentioning the forbidden token prime its selection; the model attends more to the target mention than the negation.
• Override failure (12.5%): Strong FFN contributions in late layers overwhelm valid suppression signals, even when attention appropriately focuses on the negation.

  Figure 7: Failure taxonomy—priming is most frequent, arising from explicit mention of the target; override is characterized by FFN dominance in late layers.

For practitioners, the dominance of priming implies avoiding explicit mention of the forbidden word in instructional design. Alternative formulations—categorical constraints, indirect references, positive instructions—should substantially reduce expected violation rates. For safety-critical or high-pressure scenarios, generation-time constraints are insufficient, and post-hoc output filtering is warranted.

Theoretical and Future Directions

This work demonstrates the explanatory power of mechanistic interpretability techniques: logit lens, component decomposition, and activation patching directly resolve how behavioral failures map to underlying computations. The observed competitive dynamic between semantic and constraint pressure suggests further inquiry into how transformer architectures encode and resolve high-conflict instruction scenarios.

Future research should test the generality of these mechanisms across model sizes and architectures, refine constraints that minimize priming, and develop fine-grained targeted interventions (e.g., at the attention head or FFN neuron level). The findings are immediately relevant to instruction tuning, safety mechanisms, and the understanding of negation processing in LLMs.

Conclusion

Negative constraints in LLMs fail not randomly but due to an interlayer competition between entrenched statistical expectations (semantic pressure) and instruction-induced suppression. Explicitly referencing the forbidden token primes its activation, while late-stage FFN layers in the transformer overpower early-layer suppression signals. Understanding these dynamics enables diagnostic and prescriptive improvement both for prompt engineers and model developers, supporting robust instruction-following in deployed AI systems.