We prove that no continuous, utility-preserving wrapper defense-a function $D: X\to X$ that preprocesses inputs before the model sees them-can make all outputs strictly safe for a language model with connected prompt space, and we characterize exactly where every such defense must fail. We establish three results under successively stronger hypotheses: boundary fixation-the defense must leave some threshold-level inputs unchanged; an $ε$-robust constraint-under Lipschitz regularity, a positive-measure band around fixed boundary points remains near-threshold; and a persistent unsafe region under a transversality condition, a positive-measure subset of inputs remains strictly unsafe. These constitute a defense trilemma: continuity, utility preservation, and completeness cannot coexist. We prove parallel discrete results requiring no topology, and extend to multi-turn interactions, stochastic defenses, and capacity-parity settings. The results do not preclude training-time alignment, architectural changes, or defenses that sacrifice utility. The full theory is mechanically verified in Lean 4 and validated empirically on three LLMs.

翻译：我们证明，对于具有连通提示空间的语言模型，不存在任何连续且保效的封装防御——即函数$D: X\to X$，它在输入进入模型之前对输入进行预处理——能够使所有输出严格安全，并且我们精确刻画了每一种此类防御必然失效的位置。在逐步增强的假设下，我们确立了三个结果：边界固定——防御必须保留某些阈值水平的输入不变；ε-鲁棒约束——在Lipschitz正则性条件下，边界固定点周围的一个正测度带状区域仍然接近阈值；以及横截条件下的持久不安全区域——存在一个正测度的输入子集仍然严格不安全。这些结果构成了一个防御三重困境：连续性、效用保持和完备性不可共存。我们证明了无需拓扑基础的并行离散结果，并将其扩展至多轮交互、随机防御和容量对等设置。这些结果不排除训练时对齐、架构变更或牺牲效用的防御手段。该完整理论已在Lean 4中通过机械验证，并在三个大型语言模型上进行了实证验证。