What guardrails are
A raw LLM will happily return malformed JSON, drift off-topic, leak a system prompt, or repeat a user's injected instruction. Guardrails are the checks you wrap around the model — on the way in and the way out — to keep its behavior inside safe, predictable bounds. They are the difference between a demo and a feature you can ship.
Input guardrails
Before the prompt reaches the model, validate and sanitize:
- Length and rate limits — reject oversized inputs and throttle abuse.
- Prompt-injection screening — detect attempts to override instructions hidden in user text, and keep user content fenced as data.
- PII / policy checks — block or redact disallowed content before it is processed.
{
"input_checks": {
"max_tokens": 4000,
"blocked_patterns": ["ignore previous instructions"],
"redact": ["credit_card", "ssn"]
}
}Output guardrails
The output is where most failures bite. Layer the checks:
| Check | Catches | How |
|---|---|---|
| Schema | Malformed / wrong-shape JSON | Validate against a JSON Schema |
| Content | Toxicity, PII leaks, off-topic | Classifiers / rules |
| Policy | Disallowed claims, missing disclaimers | Rule checks on fields |
| Grounding | Hallucinated facts | Require citations to provided context |
A schema check alone catches the most common production failure — output your code cannot parse.
A validate-and-retry loop
The most effective output guardrail is "validate, and if it fails, ask the model to fix it":
1. Get model output.
2. Validate against the JSON Schema + content rules.
3. If it passes -> return it.
4. If it fails -> send the error back, ask for a corrected response (cap retries at 2-3).
5. Still failing -> fall back to a safe default and log it.This pushes reliability toward 100% while keeping a safe fallback for the rare unrecoverable case.
Express guardrails as configuration
Keeping guardrails as JSON config (not buried in code) lets you tune them without deploys and audit them easily:
{
"output_schema": { "type": "object", "required": ["answer", "citations"] },
"max_retries": 2,
"on_failure": "safe_default",
"require_grounding": true
}Don't over-guard
Guardrails add latency and cost (extra checks, retries, sometimes extra model calls). Apply the strict ones — schema validation, injection screening on user input — everywhere, but reserve expensive checks (a second model judging toxicity) for the surfaces that need them. Match the guardrail to the risk.