Note

Fail-open is not fail-unsafe

Fail-open is often treated as a confession that a control is weak. In production systems it can be the safer customer outcome.

The distinction is whether fail-open is deliberate and bounded. Can you see it happening? Is the blast radius understood? Is there a compensating signal downstream? Can you tighten the control again without a risky deploy?

Fail-open is unsafe when it is invisible. It is engineering when it is designed, measured and reversible.