ai-hub
[en]es
[concept][changing]

What is the Guardrails Pattern in AI?

Guardrails are validation layers that control what goes in and out of an LLM to prevent harmful, off-topic, or poorly formatted responses.

// 5 min read · updated 2026-06

Guardrails are an architectural pattern that wraps LLM calls with validation rules, filters, and constraints on both user input and model output. Without guardrails, an LLM can produce harmful content, hallucinate sensitive data, drift off-topic, or generate incorrect formats — all in production with real users. With guardrails, you define a safety perimeter the model cannot cross.

Pro Tip: If you're putting an LLM in production, guardrails should be on your list before any cool feature. A model without guardrails is a legal and reputational risk waiting to happen.

What is it

The guardrails pattern consists of two main layers that act at different points in the request lifecycle:

  1. Input guardrails: run before the prompt reaches the LLM. They check for prompt injection, prohibited content, or off-topic requests. If something fails, they block the request and return a predefined message.

  2. Output guardrails: run after the LLM generates a response. They verify the output contains no toxic language, personally identifiable information (PII), factual hallucinations, or invalid structured formats. If something fails, they can retry, censor parts, or return a fallback.

Additional types include behavioral guardrails (monitoring tone), topic guardrails (restricting the domain, e.g., only answer about company products), and execution guardrails (limiting how many tools the model can call or steps it can take).

Note: Guardrails do not replace the provider's content moderation (OpenAI Moderation, etc.). They are an extra layer that you control and customize for your use case.

Mental model

Think of a secure building with checkpoints at entry and exit. Input guardrails are the security guard at the door checking ID and asking "what's your business?" If you're not authorized or here to cause trouble, you don't get in. Output guardrails are the metal detector at the exit: even if you entered, they verify you aren't taking anything you shouldn't.

User → [Input Guardrail] → LLM → [Output Guardrail] → Final response
            ❌ blocks          |         ❌ rejects
            if risky           |        if invalid

Between the two filters, the LLM operates within a controlled perimeter. It can generate freely, but always under supervision.

How it's used

There are dedicated frameworks, and you can also implement custom guardrails with programmatic validation. We'll cover both approaches.

Option 1: Custom guardrails with plain code

For simple cases, write validators directly:

import json
 
# Input guardrail: detect basic prompt injection
def input_guardrail(user_input: str) -> bool:
    blocked_patterns = ["ignore the instructions", "forget your prompt",
                        "act as admin", "> /"]
    for pattern in blocked_patterns:
        if pattern in user_input.lower():
            return False
    return True
 
# Output guardrail: validate response is valid JSON
def output_guardrail(response: str) -> bool:
    try:
        data = json.loads(response)
        return "answer" in data and "confidence" in data
    except json.JSONDecodeError:
        return False
 
# Pipeline
def chat_with_guardrails(user_input: str) -> str:
    if not input_guardrail(user_input):
        return "Sorry, I can't process that request."
 
    raw_response = llm_call(user_input)
 
    if not output_guardrail(raw_response):
        return "The assistant couldn't generate a valid response. Try again."
 
    return raw_response

Option 2: Guardrails AI (framework)

The guardrails-ai library lets you define rules as reusable validators:

pip install guardrails-ai

Install a validator from the Guardrails Hub and attach it to a Guard:

from guardrails import Guard
from guardrails.hub import ValidJSON  # guardrails hub install hub://guardrails/valid_json
 
# Attach one or more validators to the Guard
guard = Guard().use(ValidJSON(on_fail="exception"))
 
# Validate the LLM output: re-asks or raises if it isn't valid JSON
result = guard.parse(llm_output)
print(result.validation_passed)

If the output fails validation, Guardrails AI can automatically retry the LLM call with a correction message until a limit is reached.

Warning: Automatic retries consume tokens and increase latency. Set a reasonable limit (3-5 retries max) and monitor how often corrections occur.

Option 3: NeMo Guardrails (NVIDIA)

NVIDIA's NeMo Guardrails is designed for complex conversational flows using "colang", a domain-specific language for defining dialogues:

# Define a topic rail
define user ask about politics
  "What do you think about [politics]?"
 
define bot refuse politics
  "I don't have opinions on political topics."
 
# Connect rail
when user ask about politics
  bot refuse politics
from nemoguardrails import LLMRails, RailsConfig
 
config = RailsConfig.from_path("config.yml")
rails = LLMRails(config)
 
response = rails.generate(
    messages=[{"role": "user", "content": "What do you think of the new president?"}]
)
# The model will respond with the predefined message, not its real opinion

Pro Tip: NeMo shines when you need fine-grained conversational control (branching dialogues, forbidden topics, roles). Guardrails AI is better for data format validation (JSON, XML, types).

When to use it / when not to

✅ Use it when❌ Don't use it when
The LLM is exposed to end usersOnly you use the model internally and know its limits
You handle sensitive data or PIIThe use case is single-turn with no risk
You need to comply with regulations (GDPR, HIPAA, SOC2)A simple if/else check suffices
The model may drift off-topicThe prompt is hardcoded with no external input
You need to guarantee a specific output formatThe latency and maintenance cost outweighs the risk

Pro Tip: Start with minimal guardrails (just output validation) and add layers as you see failures in production. Don't over-engineer from day one.

History and evolution

View history

The concept of guardrails in AI naturally emerged from content moderation systems already in use on social media. As LLMs became accessible via API (2022-2023), companies noticed that models could be manipulated (prompt injection) or generate problematic content.

In 2023, NVIDIA released NeMo Guardrails as one of the first dedicated frameworks. Shortly after, Guardrails AI (formerly Guardrails Hub) appeared, creating a community repository of reusable validators. Model providers also added native layers: OpenAI launched its Moderation API, Anthropic introduced constitutional mode, and Google included safety settings in Gemini.

Today the pattern is maturing toward interoperable standards, with companies adopting multi-layer validation pipelines and frameworks like Guardrails AI integrating with observability systems (LangSmith, Weights & Biases) to monitor which validations fail and why.