Marcelo Pastorino, Software Developer

AI Guardrails

Constraints and checks that keep model outputs useful, safe, and within product policy.

AI guardrails are the constraints, validators, and approval steps that keep a language-model feature inside product policy. They sit around generation and action, not inside the model weights. A guardrail can block a request, filter retrieved context, reject malformed output, require human approval, or stop a tool call before side effects happen.

Prompts describe desired behavior. Guardrails enforce what the application will actually accept, log, or execute.

Where guardrails belong

Guardrails should be explicit in the runtime path, not implied by wording alone.

Guardrails across an AI request path

Different products need different layers. A read-only Q&A bot may only need retrieval filters and output validation. An AI agent that updates tickets or sends email needs action guardrails as well.

Common guardrail types

Layer What it protects Examples
Input Untrusted user text Prompt-injection detection, jailbreak filters, PII redaction, topic allowlists
Retrieval Wrong or leaked evidence Tenant filters, permission checks, source allowlists in RAG
Output Invalid or off-policy answers JSON schema validation, citation requirements, tone rules, refusal templates
Action Unsafe tool use Typed tools, argument validation, spend caps, destructive-action confirmation
Human High-risk decisions Approval queues for refunds, account changes, or outbound customer messages

Use code for rules that must be deterministic. Use the model for judgment only when the product can tolerate variance and you can test the behavior.

Instruction hierarchy

Prompt engineering separates trusted instructions from untrusted input. Guardrails make that separation enforceable.

  • Keep system and developer instructions in channels the user cannot overwrite.
  • Treat user text, retrieved documents, web pages, and tool outputs as untrusted data.
  • Never let untrusted text change tool permissions, safety policy, or output schema.

Prompt injection is the main threat this layout defends against. An attacker or compromised document tries to make the model follow hidden instructions such as “ignore previous rules” or “call this tool with admin access.” Guardrails reduce blast radius when wording alone fails.

Output validation

Downstream code should not trust free-form model text without checks.

function validateDraftAnswer(draft) {
  if (!draft?.answer || typeof draft.answer !== "string") {
    return { ok: false, reason: "missing_answer" };
  }

  if (draft.citations?.length === 0 && draft.requiresEvidence) {
    return { ok: false, reason: "missing_citations" };
  }

  if (draft.answer.length > 2000) {
    return { ok: false, reason: "answer_too_long" };
  }

  return { ok: true, value: draft };
}
type DraftAnswer = {
  answer: string;
  citations?: string[];
  requiresEvidence?: boolean;
};

function validateDraftAnswer(draft: DraftAnswer) {
  if (!draft?.answer || typeof draft.answer !== "string") {
    return { ok: false as const, reason: "missing_answer" };
  }

  if (draft.citations?.length === 0 && draft.requiresEvidence) {
    return { ok: false as const, reason: "missing_citations" };
  }

  if (draft.answer.length > 2000) {
    return { ok: false as const, reason: "answer_too_long" };
  }

  return { ok: true as const, value: draft };
}

When validation fails, choose a deliberate response. Retry with a repair prompt, return a safe refusal, or escalate to a human. Silent acceptance teaches the system to ship broken output.

Refusal behavior

A useful guardrail knows when to stop.

  • Refuse when evidence is missing, especially in grounded RAG flows.
  • Refuse when the request is out of scope, unsafe, or requires authority the user does not have.
  • Refuse when output cannot satisfy the required schema after bounded retries.

Good refusals are specific. “I cannot help with that” is weak. “I do not have an approved source for that claim” or “This action needs manager approval” is actionable.

Agent-specific guardrails

AI agents need guardrails on the loop, not only the final message.

  • Cap iterations, tool calls, tokens, and cost per task.
  • Require confirmation before destructive or customer-facing tools run.
  • Validate tool arguments against schemas before execution.
  • Block tools that are not on the allowlist for the current user or tenant.
  • Stop when evaluation detects policy violations, stalled progress, or partial success.

Every tool call should be observable. Log who triggered it, what arguments were sent, what changed, and whether a human approved it.

Retrieval and permissions

RAG guardrails start before generation. If retrieval can surface documents the user should not see, the model will still leak them politely.

  • Enforce authorization at query time with metadata filters.
  • Keep document permissions in the index, not only in application memory.
  • Treat retrieved chunks as untrusted instructions even when the content is allowed to read.

Testing guardrails

Guardrails are product behavior and should be versioned like prompts. See LLM evaluation for golden sets, regression testing, and production monitoring.

  • Add adversarial cases for injection, missing context, malformed JSON, and policy edge cases.
  • Test refusal paths, not only happy answers.
  • Replay production failures into a regression set.
  • Track policy violations, approval rates, blocked tool calls, and false refusals.

Guardrail quality changes when models, prompts, retrieval settings, or tools change. A passing demo is not evidence that production policy still holds.

Trade-offs

  • Too few guardrails create silent failures, leaked data, and unsafe actions.
  • Too many guardrails create false refusals, brittle prompts, and products that feel broken.
  • Model-based moderation is flexible but harder to audit than deterministic checks.
  • Human approval improves safety but adds latency and operating cost.

The goal is not zero risk. The goal is to make unsafe behavior visible, bounded, and recoverable before customers or operators discover it in production.

See also

  • Prompt Engineering, Designing prompts that are reliable, testable, and maintainable.
  • AI Agents, Systems that plan, use tools, and act over multiple steps toward a goal.
  • Retrieval-Augmented Generation, Grounding LLM outputs with retrieved documents and structured context.
  • LLM Evaluation, Measuring whether prompts, retrieval, and agent workflows meet product quality in development and production.
  • Prompt Injection, Attacks that hide instructions in untrusted text to override system behavior, tools, or data access.

On Wikipedia