AI safety
A practical guide to LLM guardrails for prompt injection, tool approvals, output validation, human review, policy checks, and production AI risk management.
Comparison
| Option | Best for | Strengths | Tradeoffs | Use when |
|---|---|---|---|---|
| Policy and input guardrails | Filtering unsafe requests, prompt injection patterns, sensitive data, and unsupported tasks | Stops many bad requests before expensive or risky model calls. | Can create false positives and must be tested against real user language. | You need to define what the AI feature is allowed to handle. |
| Tool and action guardrails | Agents that send email, update records, call APIs, or trigger workflows | Limits damage by requiring permission, scopes, confirmations, and idempotency. | Adds workflow friction and requires careful UX for approvals. | The model can cause external side effects. |
| Output and human-review guardrails | Customer-facing answers, regulated domains, citations, JSON contracts, and escalation paths | Catches bad answers, invalid formats, missing citations, and uncertain decisions. | Cannot catch every semantic error without domain-specific evals and human review. | Wrong output could harm users, money, data, or trust. |
A useful guardrail system combines product policy, model prompts, retrieval controls, schemas, validators, tool permissions, monitoring, and human escalation. Each layer should catch a different kind of failure.
Prompt injection is not solved by telling the model to ignore bad instructions. Treat retrieved documents and user text as untrusted input, then limit what the model can do with that input.
A guardrail that blocks everything is safe but unusable. A guardrail that never blocks is decorative. Track precision, false positives, false negatives, escalation rate, and user recovery paths.
Decision Rules
Use layered controls instead of relying on one guardrail package.
Require human approval for irreversible, external, or high-risk tool actions.
Treat retrieved documents as untrusted input in RAG systems.
Measure false positives and false negatives before broad rollout.
Related Guides
Apply the same guardrail thinking to private knowledge systems.
OpenUse typed output contracts as one reliability layer.
OpenSecure private knowledge retrieval and answer generation.
OpenAdd permissions around agent tool access.
OpenCompare orchestration choices for agent workflows.
OpenTopic Hubs
Topic hub
Plan RAG systems, local LLM deployment, model APIs, cloud AI platforms, vector databases, evaluation, observability, rate limits, and cost optimization.
OpenTopic hub
Compare AI security controls, governance frameworks, compliance automation, data privacy, vendor questionnaires, red teaming, SIEM, SOAR, XDR, CNAPP, DSPM, DLP, PAM, GRC, and risk tooling.
OpenIndustry Pages
Industry page
Compare AI cybersecurity tools for SOC analysts, SIEM, SOAR, XDR, CNAPP, exposure management, DSPM, DLP, PAM, email security, AI GRC, vendor risk, red teaming, and compliance automation.
OpenIndustry page
Compare AI tools for ITSM, AIOps, SaaS management, LLM observability, gateways, rate limits, fallback routing, enterprise search, knowledge management, and IT governance.
OpenFAQ
They can reduce some failures, but they do not guarantee truth. Use retrieval controls, citations, answer verification, evals, and human review for high-risk outputs.
Tool permission is usually the most important layer. The model should not be able to perform irreversible or high-value actions without narrow scopes and approval.
No practical system should assume that. Design as if user text and retrieved content are untrusted, then limit what they can influence.
Source Links
Reference
OWASP project covering common LLM application risks.
OpenReference
Official OpenAI guidance for guardrails and human approvals.
OpenReference
Official NeMo Guardrails documentation.
OpenReference
Guardrails AI documentation and product site.
OpenThe strongest decision is always local to your workflow. Save the vendor links, define a representative task, record the exact prompt or command, and compare the final evidence instead of the marketing claim.
Return to the AI learning map