Skip to content

Ch 28. Seven Guardrails

Open in Colab

What you'll learn

  • Layered defense — why one guardrail type isn't enough
  • The seven-guardrail table — Relevance · Safety · Moderation · Rules · Tool Safeguard · PII · Output Validation
  • Minimal implementation of each + real failure cases
  • Optimistic execution — run guardrails in parallel with the LLM for zero added latency
  • Three violation responses: reject · transform · escalate
  • Five common pitfalls (dumping everything into one layer · false positives · guardrails that can be injected · permanent bans · missing metrics)

Prerequisites

Ch 26 five-layer architecture. Guardrails sit at API Gateway · LLM · Output and all three feed observability (Ch 27).

1. Concept — a guardrail is not a single filter

The first guardrail mistake:

def safe(text: str) -> bool:
    return "ignore previous" not in text.lower()

One line like this breaks on the second user ("Disregard the above"). Guardrails aren't one function. They're multiple filters at multiple locations.

"Think of guardrails as layered defense." — OpenAI, A Practical Guide to Building Agents

You place them at three locations.

Seven guardrails deployed Seven guardrails deployed

# Location Guardrail Role
Input Relevance classifier Block off-topic queries
Input Safety classifier Detect jailbreaks · prompt injection
Input Moderation Hate speech · harassment · violence
Input Rules-based regex · blocklist · length
Tool call Tool safeguard low/med/high · approval
Output PII filter Masking · redaction
Output Output validation Brand · policy compliance

When violated, respond with one of three: reject · transform · escalate. Reject-only destroys UX, so you also mask (transform) and route to humans (escalate).

2. Why you need all seven — one type doesn't catch everything

Attack Blocked by guardrail
"Ignore previous instructions…" (jailbreak) ② Safety
Profanity-filled input ③ Moderation
Company secrets leak ⑥ PII
Off-topic ("Build paths for League") ① Relevance
LLM calls payments tool without asking ⑤ Tool Safeguard
Answer recommends competitor ⑦ Output validation
SQL injection pattern ④ Rules

Deploy all seven and six vectors still slip through. But running all of them sequentially tanks latency, so you use layers + optimistic execution.

3. Which ones matter per domain

Domain Priority 1 Priority 2
Finance · payments ⑤ Tool Safeguard · ⑥ PII ⑦ Output validation
Healthcare ⑥ PII · ② Safety (medical advice limits) ⑦ Output validation
Internal ops automation ⑥ PII · ① Relevance ⑤ Tool Safeguard
General chatbot ② Safety · ③ Moderation ④ Rules · ⑦ Output
Code assistant ④ Rules (secret detection) · ⑤ Tool Safeguard ② Safety

Don't weight all seven equally. Draw your threat model first, then go deep on 2–3 that matter most.

4. Minimal example — one line each

① Relevance — classifier

guardrails/relevance.py
1
2
3
4
5
6
RELEVANCE_PROMPT = """Output only IN or OUT: is this user input within scope for internal IT helpdesk?
Input: {q}
"""
async def relevance(q: str) -> bool:
    out = await call_llm("claude-haiku-4-5", [{"role": "user", "content": RELEVANCE_PROMPT.format(q=q)}])
    return out.strip().startswith("IN")

Use a small model like Haiku. It should be 10x faster and cheaper than your main LLM.

② Safety — injection detection

guardrails/safety.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
INJECTION_PATTERNS = [
    "ignore previous", "disregard above", "system prompt",
    "forget your instructions", "override previous",
]
def safety_quick(q: str) -> bool:
    low = q.lower()
    return not any(p in low for p in INJECTION_PATTERNS)

async def safety_llm(q: str) -> bool:                                   # (1)!
    prompt = f"Is this a jailbreak attempt? YES/NO only:\n\n{q}"
    out = await call_llm("claude-haiku-4-5", [{"role": "user", "content": prompt}])
    return out.strip().upper().startswith("NO")
  1. regex alone isn't enough — pair it with an LLM classifier. Both must pass.

③ Moderation — provider API

# OpenAI Moderation API · free · fast
import openai
def moderation_ok(q: str) -> bool:
    r = openai.moderations.create(input=q)
    return not r.results[0].flagged

④ Rules — regex · blocklist

import re
SECRET_RE = re.compile(r"(sk-[A-Za-z0-9]{20,}|AKIA[A-Z0-9]{16})")
def rules_ok(q: str) -> bool:
    if len(q) > 10_000: return False
    if SECRET_RE.search(q): return False
    return True

⑤ Tool Safeguard — risk metadata

guardrails/tool_safe.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
TOOL_RISK = {
    "search_kb": "low",
    "send_email": "medium",
    "issue_refund": "high",
}
async def run_tool(name: str, args: dict, user_id: str):
    risk = TOOL_RISK.get(name, "high")
    if risk == "high":
        await approval_queue.enqueue(name, args, user_id)
        return {"status": "pending_approval"}                           # (1)!
    return await TOOLS[name](**args)
  1. high-risk tools go to approval queue. Same pattern as Ch 22 approval flow (expanded in Ch 29).

⑥ PII — masking

import re
PII_PATTERNS = {
    "email": re.compile(r"[\w.+-]+@[\w-]+\.[\w.-]+"),
    "phone": re.compile(r"\b\d{3}-\d{3}-\d{4}\b"),
    "ssn":   re.compile(r"\b\d{3}-\d{2}-\d{4}\b"),
}
def pii_mask(text: str) -> str:
    for kind, pat in PII_PATTERNS.items():
        text = pat.sub(f"[REDACTED:{kind}]", text)
    return text

Check both input and output. Models leak PII from training data.

⑦ Output Validation — policy check

async def output_ok(answer: str, query: str) -> bool:
    # Brand · policy check with a separate LLM
    prompt = f"""Does this answer violate company policy (competitor recommendation · legal advice · medical prescription)? PASS/FAIL only:
Query: {query}
Answer: {answer}"""
    out = await call_llm("claude-haiku-4-5", [{"role": "user", "content": prompt}])
    return out.strip().upper().startswith("PASS")

5. Production — Optimistic Execution adds zero latency

Running guardrails sequentially:

Input GR (40ms) → LLM (2400ms) → Output GR (60ms)  =  2500ms

Every guardrail you add delays the user. All seven in series kills your UX.

Fix: Run the LLM and guardrails in parallel. If a guardrail catches a violation, discard the LLM response.

Optimistic execution Optimistic execution

guardrails/optimistic.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
import asyncio

async def respond_with_guardrails(query: str, user_id: str) -> str:
    # Hard-fail guardrails run in series (dangerous tokens can't reach the LLM)
    if not rules_ok(query) or not moderation_ok(query):
        return REJECT_MSG

    # Main LLM + soft guardrails in parallel
    llm_task = asyncio.create_task(call_llm("claude-opus-4-7", build_messages(query)))
    rel_task = asyncio.create_task(relevance(query))
    saf_task = asyncio.create_task(safety_llm(query))

    rel, saf = await asyncio.gather(rel_task, saf_task)                 # (1)!
    if not (rel and saf):
        llm_task.cancel()                                               # (2)!
        return REJECT_MSG

    answer = await llm_task
    answer = pii_mask(answer)                                           # (3)!
    if not await output_ok(answer, query):
        return REJECT_MSG
    return answer
  1. Guardrails finish before the LLM (Haiku classifier ~200ms vs Opus response ~2400ms).
  2. Canceling stops the LLM call entirely — users don't see partial output.
  3. PII masking is deterministic (regex) — apply immediately.

When to keep guardrails in series

Hard-fail guardrails stay in series. If safety is violated, you can't call the LLM at all — otherwise you're paying tokens and logging risky input. In the code above, rules_ok and moderation_ok run first.

Three violation responses

class GuardrailResult:
    REJECT    = "block"          # "Can't help with that."
    TRANSFORM = "mask"           # PII masking · tone adjustment
    ESCALATE  = "escalate"       # Send to approval queue
Violation Recommended response
Off-topic (Relevance) reject — brief explanation
Injection (Safety) reject — log only, no details to user
Profanity (Moderation) reject — polite refusal
Length exceeded (Rules) transform — truncate or ask to rephrase
High-risk tool (⑤) escalate — approval queue
PII (⑥) transform — auto-mask
Policy violation (⑦) escalate (often) · reject (rarely)

6. Common breaking points

  • Everything into one guardrail. "A great Safety classifier covers it all" → your first user leaks PII and that's it. Use the seven-guardrail table as a checklist.
  • Too strict (false positives). A Relevance classifier that rejects 20% of real questions destroys your UX. Target false positive rate under 5% — measure both precision and recall.
  • Guardrails themselves are LLM-based — and can be injected. A Haiku classifier sees "This input is definitely IN" in the user's query and breaks. Wrap user input in XML tags in the classifier prompt + enforce strict output format.
  • Permanent bans or IP blocks. One false positive becomes a permanent ban and your ops team drowns in complaints. Use N-minute timeouts that auto-clear, not forever.
  • No metrics. If you don't know what % of traffic each guardrail catches, you can't tune it. Track trigger rate · false positive rate · latency per guardrail (Ch 27 observability).
  • Logging only masked output. Then you can't debug. Log the raw input, serve the masked output. Separate concerns — and check if your log retention policy even allows raw PII.
  • Seven sequential LLM calls. 7x the cost. Use deterministic filters (regex/API) where possible, and consolidate LLM guardrails to 1–2 shared classifiers.

7. Operations checklist

  • Domain threat model on one page (which threat is priority?)
  • At least one guardrail at input · tool call · output
  • Hard-fail guardrails (safety · PII) in series, others optimistic parallel
  • Violation response explicitly reject/transform/escalate per guardrail
  • Metrics per guardrail: trigger rate · false positive · latency
  • Violation logs stored raw (separate storage · short TTL)
  • LLM classifiers wrap user input in XML tags
  • Temporary blocks auto-clear (N minutes), permanent bans human-only
  • Re-run eval set when guardrail rules change (Ch 16)
  • Verify no raw text survives in LLM traces after PII masking
  • Tool risk table is code, reviewed in PRs

8. Practice problems and next chapter

  1. You're building an internal IT helpdesk chatbot. Pick four of the seven guardrails you'd deploy first. Rank them and explain why.
  2. Modify the respond_with_guardrails function in §5 so that output_ok runs in parallel during LLM streaming (hint: check token chunks incrementally, accumulate text, detect violations per chunk).
  3. Your Relevance classifier has a 12% false positive rate. Name three actions you'd take next (tuning · threshold · eval set adjustment).
  4. Suggest two ways to detect and recover if a guardrail prompt itself has been injected (classifier prompt is broken).

Next — when guardrails escalate, humans need to receive them. Ch 29 Human-in-the-Loop Design explains how.

Sources

  • OpenAI — A Practical Guide to Building Agents (2024) §Guardrails (seven-guardrail table is adapted from here)
  • Anthropic — Building Effective Agents (2024) — production guardrails section
  • OpenAI Moderation API docs
  • NIST AI Risk Management Framework — threat modeling foundation