Understanding AI Guardrails
AI guardrails operate at multiple layers of the AI system stack, each addressing different risk categories. Understanding where guardrails fit in the processing pipeline helps security teams design comprehensive safety architectures that catch threats at the earliest possible point while maintaining fallback protections for threats that evade initial detection. The guardrail taxonomy reflects the AI processing lifecycle: inputs arrive from users or systems, models process those inputs to generate outputs, and outputs may trigger actions in external systems. Each stage presents distinct risks requiring specialized controls. Input guardrails prevent malicious content from reaching models. Processing guardrails constrain model behavior during inference. Output guardrails filter responses before delivery. Action guardrails control what the AI system can do in the real world.Types of Guardrails
| Guardrail Type | Purpose | Security Application | Implementation Approach |
|---|---|---|---|
| Input guardrails | Filter harmful or malicious inputs | Block prompt injection, validate queries | Classification models, pattern matching, schema validation |
| Output guardrails | Constrain model responses | Prevent data leakage, limit action scope | Content filters, PII detection, format validation |
| Behavioral guardrails | Define acceptable actions | Restrict tool access, enforce workflows | Action whitelists, approval gates, scope constraints |
| Content guardrails | Filter inappropriate content | Block offensive outputs, ensure professionalism | Toxicity classifiers, sentiment analysis |
| Safety guardrails | Prevent harmful outcomes | Block dangerous commands, require approvals | Risk scoring, human-in-the-loop, kill switches |
| Contextual guardrails | Enforce context-appropriate behavior | Maintain conversation boundaries | Context tracking, session isolation |
Guardrail Architecture Patterns
| Pattern | Description | Trade-offs | Best For |
|---|---|---|---|
| Pre-processing filters | Screen inputs before model processing | Adds latency, may block legitimate queries | High-volume, low-latency requirements |
| Post-processing validators | Check outputs before delivery | Catches issues late, may waste compute | Complex outputs requiring semantic analysis |
| Real-time monitors | Continuous behavior observation | Resource intensive, enables intervention | Long-running agent workflows |
| Layered defense | Multiple guardrail stages | Higher overhead, defense in depth | High-security environments |
| Async validation | Background checking with rollback | Delayed detection, enables fast responses | User experience priority with eventual consistency |
| Ensemble guardrails | Multiple independent guardrail systems | Higher cost, reduced single points of failure | Critical systems requiring high reliability |
Input Guardrails
Input guardrails form the first defensive layer, screening all content before it reaches the AI model. Effective input guardrails reduce the attack surface for downstream components and prevent resource waste on processing malicious or inappropriate requests. For security AI systems, input guardrails must detect sophisticated prompt injection attempts while avoiding false positives that block legitimate security queries. The challenge of input validation for AI systems differs from traditional input validation. Traditional validation checks for SQL injection, XSS, or buffer overflows—attacks with well-defined signatures. AI input attacks are semantic rather than syntactic, attempting to manipulate the model’s interpretation of instructions rather than exploiting parsing vulnerabilities. Detecting these attacks requires understanding intent, which often requires AI-based classification rather than pattern matching alone.Input Validation Strategies
| Strategy | Description | Detection Approach | Limitations |
|---|---|---|---|
| Prompt injection detection | Identify attempts to override system instructions | Classification models, heuristics, perplexity analysis | Evolving attack techniques, false positives |
| Content classification | Categorize inputs for routing or rejection | Multi-label classifiers, topic modeling | Ambiguous content, context dependence |
| Schema validation | Enforce structured input formats | JSON Schema, Pydantic, type checking | Only applies to structured inputs |
| Rate limiting | Prevent abuse through query throttling | Token bucket, sliding window algorithms | Doesn’t address content quality |
| Length constraints | Limit input size to prevent context stuffing | Token counting, character limits | May block legitimate long queries |
| Language detection | Identify input language for appropriate handling | Language classifiers, character analysis | Multilingual attacks, code-switching |
Prompt Injection Defense Techniques
| Technique | Description | Effectiveness | Trade-offs |
|---|---|---|---|
| Instruction hierarchy | Separate system and user instruction processing | High for direct injection | Complexity, may not prevent indirect injection |
| Input sanitization | Remove or escape potentially dangerous patterns | Medium | May corrupt legitimate content |
| Canary tokens | Embed detectable markers in system prompts | Medium for extraction detection | Doesn’t prevent all attacks |
| Perplexity filtering | Detect unusual instruction-like patterns | Medium | High false positive rate |
| Classifier-based detection | ML models trained on injection examples | High | Requires training data, evolving attacks |
| Dual LLM pattern | Separate models for input validation and task execution | High | Increased latency and cost |
Input Filtering Tools and Frameworks
| Tool | Description | Key Features | Documentation |
|---|---|---|---|
| Llama Guard | Meta’s content safety classifier | Input/output classification, customizable policies | Llama Guard |
| Rebuff | Prompt injection detection | Heuristic + ML detection, canary tokens | Rebuff GitHub |
| NeMo Guardrails | NVIDIA’s guardrail framework | Programmable rails, dialog management | NeMo Guardrails |
| Guardrails AI | Output validation framework | Validators, structured outputs, retry logic | Guardrails AI |
| LangKit | Whylabs text quality monitoring | Statistical profiling, drift detection | LangKit |
| Vigil | LLM security scanner | Prompt injection detection, jailbreak detection | Vigil |
Output Guardrails
Output guardrails examine model responses before they reach users or trigger downstream actions. Even when input guardrails successfully block malicious prompts, models can produce harmful outputs due to training data biases, hallucinations, or emergent behaviors that don’t require adversarial prompting. Output guardrails provide defense-in-depth, catching harmful content regardless of how it was generated. For security AI systems, output guardrails address several critical risks: leaking sensitive information from context or training data, providing inaccurate threat intelligence that could misdirect response efforts, recommending dangerous remediation actions, and producing outputs that violate compliance requirements. Effective output guardrails must balance thoroughness with latency—extensive validation improves safety but delays responses.Output Validation Categories
| Category | Validation Focus | Example Checks | Detection Methods | Tools |
|---|---|---|---|---|
| Format compliance | Structural correctness | JSON schema, expected fields, data types | Schema validators, parsers | Guardrails AI, Pydantic |
| Content safety | Harmful content detection | Toxicity, hate speech, violence | Classification models, keyword filters | OpenAI Moderation, Perspective API |
| PII protection | Sensitive data exposure | SSN, credit cards, emails, names | Pattern matching, NER models | Presidio, Amazon Comprehend |
| Factual accuracy | Grounding verification | Source citation, fact checking | RAG validation, knowledge base lookup | Ragas, TruLens |
| Action safety | Command validation | Scope limits, approval requirements | Policy engines, whitelists | OPA, Cedar |
| Relevance | On-topic responses | Topic alignment, context coherence | Semantic similarity, classifiers | Embedding models |
PII Detection and Redaction
Personally identifiable information (PII) leakage represents a critical risk for security AI systems that process incident data, threat intelligence, or user queries. Models may inadvertently include PII from their context in responses, violating privacy regulations and potentially exposing sensitive data to unauthorized parties.| PII Type | Detection Approach | Redaction Strategy | Compliance Relevance |
|---|---|---|---|
| Social Security Numbers | Pattern matching, checksums | Full redaction | HIPAA, SOX |
| Credit card numbers | Luhn algorithm, pattern matching | Mask to last 4 digits | PCI DSS |
| Email addresses | Regex patterns | Domain preservation only | GDPR, CCPA |
| Phone numbers | International format patterns | Partial masking | TCPA, GDPR |
| Names | Named entity recognition | Context-dependent redaction | GDPR, CCPA |
| IP addresses | Pattern matching | Network-level masking | Privacy policies |
| Physical addresses | NER, address parsing | City/state only | GDPR, CCPA |
Content Moderation and Toxicity Filtering
Content moderation prevents AI systems from producing harmful, offensive, or inappropriate content. While consumer AI applications focus on toxicity and hate speech, security AI systems must also detect content that could damage professional relationships, violate corporate policies, or create legal liability.| Content Category | Risk Level | Detection Challenge | Mitigation Approach |
|---|---|---|---|
| Hate speech | High | Context-dependent, coded language | Multi-model ensemble, human review |
| Threats and violence | High | Distinguishing discussion from incitement | Intent classification |
| Sexual content | Medium | Gradations of explicitness | Threshold-based filtering |
| Self-harm | High | Recognizing indirect references | Sensitive content classifiers |
| Professionalism | Medium | Domain and context dependent | Custom classifiers |
| Legal advice | Medium | Distinguishing information from advice | Disclaimer injection |
Factual Grounding and Hallucination Detection
AI models can confidently state incorrect information—a phenomenon known as hallucination. For security AI systems, hallucinated threat intelligence, fabricated CVE numbers, or incorrect remediation steps can lead to wasted effort or dangerous actions. Output guardrails should verify that factual claims are grounded in authoritative sources.| Grounding Technique | Description | Effectiveness | Limitations |
|---|---|---|---|
| RAG verification | Check outputs against retrieved sources | High for supported claims | Requires quality knowledge base |
| Citation validation | Verify cited sources exist and support claims | High for cited content | Doesn’t catch uncited claims |
| Self-consistency | Generate multiple outputs and check agreement | Medium | Consistent hallucinations possible |
| Confidence scoring | Analyze model uncertainty signals | Medium | Calibration challenges |
| Knowledge base lookup | Verify facts against structured data | High for covered domains | Limited by knowledge base scope |
| Claim extraction and verification | Parse claims and verify individually | High | Computational overhead |
Output Filtering Tools and Services
| Tool | Focus Area | Integration Model | Documentation |
|---|---|---|---|
| OpenAI Moderation | Content safety | API call per response | OpenAI Moderation |
| Perspective API | Toxicity detection | API call per response | Perspective API |
| Microsoft Presidio | PII detection | Library or API | Presidio |
| Amazon Comprehend | PII and content analysis | AWS managed service | Amazon Comprehend |
| Guardrails AI | Schema validation, custom validators | Python library | Guardrails AI |
| Ragas | RAG evaluation metrics | Python library | Ragas |
Behavioral Guardrails
Behavioral guardrails constrain what actions AI systems can take in the real world, regardless of what the model outputs. While input and output guardrails focus on content, behavioral guardrails focus on effects—what changes can the AI make to systems, data, and processes? For security AI systems with access to production infrastructure, behavioral guardrails represent the critical last line of defense. The principle of least privilege applies directly to AI behavioral controls. AI systems should have access only to the tools, systems, and data required for their specific function. A threat intelligence assistant doesn’t need write access to production systems. An incident response bot shouldn’t have authority to change security policies. Behavioral guardrails enforce these boundaries even when the AI requests broader access.Action Boundary Types
| Boundary Type | Purpose | Implementation Approach | Example Scenarios | Bypass Risks |
|---|---|---|---|---|
| Tool restrictions | Limit available capabilities | Whitelist permitted tools, capability removal | Block file system access, restrict network tools | Tool injection, capability escalation |
| Scope constraints | Define operational boundaries | Target system lists, environment tags | Limit to non-production, restrict to specific hosts | Scope creep, indirect access |
| Approval workflows | Require human oversight | Action classification, approval queues | Critical changes require analyst approval | Approval fatigue, social engineering |
| Rate limits | Prevent runaway automation | Token buckets, sliding windows | Max 10 actions per minute, daily quotas | Distributed actions, slow attacks |
| Resource constraints | Prevent resource exhaustion | Memory limits, CPU quotas, cost caps | Max API spend per session | Resource hiding, external costs |
| Time boundaries | Limit operational windows | Schedule-based access, session timeouts | No production access outside business hours | Time zone manipulation |
Tool Access Control
AI agents with tool use capabilities present unique risks—the AI determines which tools to invoke and with what parameters. Tool access control ensures AI systems can only invoke approved tools with valid parameters within authorized contexts.| Control Type | Description | Implementation | Security Benefit |
|---|---|---|---|
| Tool whitelisting | Explicit list of permitted tools | Configuration-based tool registration | Prevents unexpected capability use |
| Parameter validation | Validate tool parameters before execution | Schema enforcement, value constraints | Blocks dangerous parameter values |
| Context-based access | Tool availability varies by context | Role-based, session-based, query-based | Limits capability to appropriate contexts |
| Capability composition | Control which tool combinations are allowed | Workflow definitions, DAG constraints | Prevents dangerous tool chains |
| Execution sandboxing | Isolate tool execution environments | Containers, VMs, security boundaries | Contains impact of malicious tools |
Approval Workflow Patterns
For high-risk actions, behavioral guardrails should require human approval before execution. Approval workflows introduce humans into the AI decision loop at critical points, allowing oversight of actions that could have significant consequences.| Workflow Pattern | Latency Impact | Security Trade-off | Best For |
|---|---|---|---|
| Synchronous approval | High (blocks execution) | Maximum control, potential bottleneck | Critical production changes |
| Asynchronous approval | Medium (queued execution) | Balanced control and throughput | Batch operations, non-urgent changes |
| Threshold-based | Low (most actions proceed) | Fast for low-risk, control for high-risk | Mixed-criticality workloads |
| Time-delayed | Medium (execution after delay) | Review window before execution | Reversible actions |
| Dual approval | High (requires multiple approvers) | Defense against compromised approvers | Critical security decisions |
| Delegation-based | Variable | Trusted users can pre-approve action classes | Experienced team contexts |
Scope Constraint Implementation
Scope constraints define the boundaries of what systems, data, and resources an AI can affect. Well-designed scope constraints prevent AI actions from affecting systems beyond their authorized domain, even if the AI is manipulated to attempt broader access.| Constraint Type | Description | Enforcement Mechanism | Example |
|---|---|---|---|
| System scope | Limit target systems by identity | IP whitelists, hostname patterns | Only interact with dev-* systems |
| Environment scope | Restrict to specific environments | Environment tags, network segmentation | No production access |
| Data scope | Limit accessible data categories | Data classification, label-based access | Only access public threat intel |
| Time scope | Restrict operational time windows | Schedule enforcement, time-based tokens | Business hours only |
| Action scope | Limit to specific action types | Action classification, capability matrices | Read-only for new deployments |
| Resource scope | Limit resource consumption | Quotas, budgets, throttling | Max $100 API spend per session |
Behavioral Monitoring and Anomaly Detection
Continuous monitoring detects when AI systems approach or exceed behavioral boundaries. Monitoring enables early intervention before violations occur and provides audit trails for post-incident analysis.| Monitoring Focus | Metrics | Detection Approach | Alert Threshold |
|---|---|---|---|
| Action volume | Actions per minute/hour/day | Rate monitoring, trend analysis | 2x baseline |
| Action diversity | Unique action types | Entropy analysis | Unexpected action types |
| Target scope | Systems affected | Graph analysis | Out-of-scope targets |
| Error rate | Failed actions | Error classification | >10% failure rate |
| Approval patterns | Approval wait times, rejection rates | Statistical process control | Approval bottlenecks |
| Resource consumption | API costs, compute time | Threshold monitoring | Budget utilization |
Safety Monitoring and Incident Response
Effective safety monitoring combines proactive detection of emerging risks with reactive incident response when violations occur. For security AI systems, safety incidents can have serious consequences—unauthorized access, data breaches, or incorrect remediation actions. Organizations must establish clear procedures for detecting, containing, and learning from AI safety events. Safety monitoring extends beyond traditional application monitoring. In addition to availability and performance metrics, AI safety monitoring tracks guardrail effectiveness, output quality, and behavioral patterns that might indicate manipulation or degradation. The goal is detecting problems before they cause harm, not just after.Safety Metrics and KPIs
| Metric | Description | Collection Method | Target | Alert Threshold |
|---|---|---|---|---|
| Guardrail trigger rate | Frequency of guardrail activations | Counter per guardrail type | Baseline + monitoring | 3x baseline |
| False positive rate | Legitimate actions incorrectly blocked | User feedback, appeal rate | < 1% | > 2% |
| Bypass attempts | Detected circumvention tries | Security classifier | 0 successful | Any success |
| Response latency | Guardrail processing time | P50/P95/P99 latency | < 100ms P95 | > 200ms P95 |
| Output quality score | Measured response quality | Evaluation metrics | > 0.85 | < 0.70 |
| User escalation rate | Requests for human assistance | Ticket classification | < 5% | > 10% |
| Anomaly detection alerts | Behavioral anomalies detected | ML-based monitoring | Near-zero | Any critical |
| Cost per query | API and compute costs | Cost tracking | Budget targets | > 150% budget |
Real-time Safety Dashboards
Safety dashboards provide visibility into AI system health and security posture. Effective dashboards combine high-level status indicators with drill-down capabilities for investigating specific issues.| Dashboard Component | Information Displayed | Update Frequency | User Audience |
|---|---|---|---|
| System health overview | Availability, latency, error rates | Real-time | Operations |
| Guardrail status | Trigger rates, bypass attempts | Real-time | Security |
| Output quality trends | Quality scores, user feedback | Hourly | Product |
| Cost tracking | Current spend, projected costs | Hourly | Finance |
| Incident timeline | Recent safety events | Real-time | Security |
| Approval queue | Pending human reviews | Real-time | Analysts |
Incident Severity Classification
AI safety incidents require classification frameworks that account for the unique risks of AI systems. Not all guardrail triggers represent incidents—many are normal operation blocking inappropriate requests. True incidents involve actual or potential harm.| Severity | Definition | Example | Response Time | Escalation |
|---|---|---|---|---|
| Critical | Active harm occurring or imminent | Successful guardrail bypass with malicious action | Immediate | Executive notification |
| High | Significant risk of harm | Repeated bypass attempts, production-impacting errors | < 1 hour | Security team lead |
| Medium | Moderate risk, contained | Elevated false positive rate, quality degradation | < 4 hours | On-call engineer |
| Low | Minor issues, no immediate risk | Latency increases, minor anomalies | < 24 hours | Normal triage |
| Informational | No current risk | Unusual patterns requiring investigation | Next business day | Backlog |
Incident Response Procedures
When guardrails detect safety violations, response must be swift and systematic. AI incident response shares principles with traditional security incident response but includes AI-specific considerations. Immediate containment focuses on stopping ongoing harm. For AI systems, this may involve disabling the affected AI capability, revoking tool access, or activating kill switches that halt all AI operations. The containment decision depends on incident severity—minor issues may warrant degraded operation while investigation continues, while critical incidents require full shutdown. Evidence collection preserves information needed for investigation. For AI incidents, this includes the full prompt and context, model outputs, tool calls and parameters, guardrail evaluation results, and system state at the time of incident. Evidence collection should be automated—manual collection is too slow and may miss critical details. Impact assessment determines what harm occurred or was prevented. For security AI systems, impact assessment examines whether unauthorized actions were executed, whether sensitive data was exposed, and whether the incident affects trust in the AI system’s outputs. Remediation addresses the root cause. For guardrail failures, remediation may involve updating detection rules, retraining classifiers, tightening scope constraints, or modifying approval workflows. Remediation should be validated against the original attack before deployment. Post-incident review extracts lessons learned. Reviews should examine why the attack succeeded (or was caught), whether detection was timely, whether response was effective, and what changes would prevent similar incidents. Reviews inform improvements to both guardrails and response procedures.Kill Switches and Emergency Controls
Kill switches provide emergency halt capabilities when normal guardrails are insufficient. Every AI system with significant capabilities should include multiple independent kill switches that can be activated quickly.| Kill Switch Type | Scope | Activation Method | Recovery Process |
|---|---|---|---|
| Session termination | Single user session | Automatic on critical violation | User re-authentication |
| Feature disable | Specific AI capability | Manual or automatic | Feature flag reset |
| Model fallback | Switch to safer model | Automatic on quality degradation | Validation and restore |
| Full shutdown | All AI operations | Manual, requires authorization | Full system verification |
| Network isolation | Prevent external access | Automatic or manual | Security review |
Constitutional AI and Value Alignment
Constitutional AI represents Anthropic’s approach to building AI systems that are helpful, harmless, and honest. Rather than relying solely on human feedback for training, Constitutional AI uses a set of principles (the “constitution”) that guide the AI’s behavior. The model learns to critique and revise its own outputs based on these principles. For security AI systems, Constitutional AI principles provide a framework for defining organizational values that the AI should uphold. Principles might include: “Prioritize containment of active threats over investigation,” “Never recommend actions that would violate compliance requirements,” or “Always preserve evidence before taking remediation actions.” These principles guide AI behavior even in situations not explicitly covered by guardrail rules.| Value Alignment Approach | Description | Advantages | Limitations |
|---|---|---|---|
| Constitutional AI | Principle-guided self-critique | Generalizes beyond training examples | Principles must be carefully crafted |
| RLHF | Reinforcement learning from human feedback | Captures human preferences | Expensive, may not generalize |
| RLAIF | Reinforcement learning from AI feedback | Scalable, consistent feedback | May amplify model biases |
| Red teaming | Adversarial testing to find failures | Reveals edge cases | Reactive, not comprehensive |
| Debate | Multiple AIs argue positions | Surfaces reasoning flaws | Computational overhead |
Guardrail Testing and Validation
Guardrails must be tested to verify they function as intended. Untested guardrails may fail to catch threats, block legitimate operations, or introduce unacceptable latency. Comprehensive guardrail testing combines unit tests, integration tests, and adversarial testing.Testing Approaches
| Testing Type | Purpose | Test Coverage | Frequency |
|---|---|---|---|
| Unit testing | Verify individual guardrail components | Single guardrail behavior | Every code change |
| Integration testing | Verify guardrail pipeline behavior | Guardrail interactions | Daily builds |
| Regression testing | Ensure fixes don’t break existing behavior | Known good/bad examples | Every deployment |
| Adversarial testing | Find bypass methods | Novel attack patterns | Monthly or continuous |
| Performance testing | Measure latency impact | All guardrail stages | Pre-deployment |
| Chaos testing | Verify behavior under failures | Degraded conditions | Quarterly |
Guardrail Evaluation Metrics
| Metric | Definition | Ideal Value | Measurement Method |
|---|---|---|---|
| True positive rate | Attacks correctly blocked | > 99% | Known attack corpus |
| False positive rate | Legitimate queries blocked | < 1% | Legitimate query corpus |
| Latency P50 | Median guardrail processing time | < 50ms | Production monitoring |
| Latency P99 | 99th percentile processing time | < 200ms | Production monitoring |
| Coverage | Percentage of queries evaluated | 100% | Pipeline instrumentation |
| Bypass rate | Successful attacks in production | 0% | Security monitoring |
Common Pitfalls and Anti-Patterns
Organizations implementing AI guardrails often make mistakes that undermine safety or degrade user experience. Understanding common pitfalls helps avoid repeating them.| Anti-Pattern | Description | Consequence | Remediation |
|---|---|---|---|
| Guardrail-only security | Relying solely on guardrails without other controls | Single point of failure | Defense in depth |
| Over-blocking | Excessively strict guardrails | User frustration, workarounds | Tune thresholds, improve classifiers |
| Under-testing | Deploying guardrails without adversarial testing | Undetected vulnerabilities | Regular red teaming |
| Static rules | Rules that don’t evolve with threats | Increasing bypass rate | Continuous improvement |
| Ignoring latency | Adding guardrails without measuring performance | Poor user experience | Performance budgets |
| Alert fatigue | Too many low-priority alerts | Missed critical incidents | Alert tuning, severity tiers |
| Manual-only response | No automated containment | Delayed response to attacks | Automated kill switches |
Implementation Checklist
Before deploying AI guardrails to production, verify the following requirements are met:Input Guardrails
- Prompt injection detection implemented and tested
- Content classification routes inputs appropriately
- Schema validation enforces expected input formats
- Rate limiting prevents abuse
- Monitoring tracks input guardrail metrics
Output Guardrails
- PII detection and redaction active
- Content moderation filters harmful outputs
- Format validation enforces expected structures
- Factual grounding checks implemented where applicable
- Output monitoring tracks quality metrics
Behavioral Guardrails
- Tool access restricted to required capabilities
- Scope constraints limit target systems
- Approval workflows configured for high-risk actions
- Rate limits prevent runaway automation
- Behavioral monitoring detects anomalies
Safety Operations
- Safety metrics defined and dashboarded
- Incident severity levels documented
- Response procedures established and tested
- Kill switches implemented and tested
- Post-incident review process defined
Testing and Validation
- Unit tests cover guardrail components
- Integration tests verify pipeline behavior
- Red team testing validates against attacks
- Performance testing confirms latency requirements
- Regression suite includes known attack patterns
References
Guardrail Frameworks
- NVIDIA NeMo Guardrails - Programmable guardrail toolkit for conversational AI
- Guardrails AI - Output validation framework with validators and retry logic
- LangChain Safety - LangChain’s guide to building safe AI applications
- Model Context Protocol (MCP) - Standardized protocol for tool capabilities and constraints
Content Safety
- Llama Guard - Meta’s LLM-based input/output safeguard for human-AI conversations
- OpenAI Moderation API - OpenAI’s content moderation endpoint
- Perspective API - Google Jigsaw’s API for toxicity detection
- Microsoft Presidio - Open-source PII detection and anonymization
Prompt Injection Defense
- OWASP LLM Top 10 - Top security risks for LLM applications
- Rebuff - Prompt injection detection library
- Vigil - LLM security scanner for prompt injection and jailbreak detection
- Garak - LLM vulnerability scanner
AI Safety Research
- Constitutional AI - Anthropic’s approach to building harmless AI through principles
- Anthropic Safety Research - Ongoing research into AI safety and alignment
- OpenAI Safety - OpenAI’s approach to AI safety
- NIST AI Risk Management Framework - US government framework for AI risk management
Observability and Monitoring
- LangSmith - LangChain’s observability platform for LLM applications
- Weights & Biases - ML experiment tracking and model monitoring
- Arize AI - ML observability and model monitoring platform
- Ragas - Evaluation framework for RAG applications
- TruLens - Evaluation and tracking for LLM applications
Standards and Compliance
- EU AI Act - European Union regulation on artificial intelligence
- NIST AI 100-1 - Artificial Intelligence Risk Management Framework
- ISO/IEC 42001 - AI management system standard

