What is the Guardrails Pattern in AI?
Guardrails are validation layers that control what goes in and out of an LLM to prevent harmful, off-topic, or poorly formatted responses.
// 5 min read · ● updated 2026-06
// before reading
Guardrails are an architectural pattern that wraps LLM calls with validation rules, filters, and constraints on both user input and model output. Without guardrails, an LLM can produce harmful content, hallucinate sensitive data, drift off-topic, or generate incorrect formats — all in production with real users. With guardrails, you define a safety perimeter the model cannot cross.
Pro Tip: If you're putting an LLM in production, guardrails should be on your list before any cool feature. A model without guardrails is a legal and reputational risk waiting to happen.
What is it
The guardrails pattern consists of two main layers that act at different points in the request lifecycle:
-
Input guardrails: run before the prompt reaches the LLM. They check for prompt injection, prohibited content, or off-topic requests. If something fails, they block the request and return a predefined message.
-
Output guardrails: run after the LLM generates a response. They verify the output contains no toxic language, personally identifiable information (PII), factual hallucinations, or invalid structured formats. If something fails, they can retry, censor parts, or return a fallback.
Additional types include behavioral guardrails (monitoring tone), topic guardrails (restricting the domain, e.g., only answer about company products), and execution guardrails (limiting how many tools the model can call or steps it can take).
Note: Guardrails do not replace the provider's content moderation (OpenAI Moderation, etc.). They are an extra layer that you control and customize for your use case.
Mental model
Think of a secure building with checkpoints at entry and exit. Input guardrails are the security guard at the door checking ID and asking "what's your business?" If you're not authorized or here to cause trouble, you don't get in. Output guardrails are the metal detector at the exit: even if you entered, they verify you aren't taking anything you shouldn't.
User → [Input Guardrail] → LLM → [Output Guardrail] → Final response
❌ blocks | ❌ rejects
if risky | if invalidBetween the two filters, the LLM operates within a controlled perimeter. It can generate freely, but always under supervision.
How it's used
There are dedicated frameworks, and you can also implement custom guardrails with programmatic validation. We'll cover both approaches.
Option 1: Custom guardrails with plain code
For simple cases, write validators directly:
import json
# Input guardrail: detect basic prompt injection
def input_guardrail(user_input: str) -> bool:
blocked_patterns = ["ignore the instructions", "forget your prompt",
"act as admin", "> /"]
for pattern in blocked_patterns:
if pattern in user_input.lower():
return False
return True
# Output guardrail: validate response is valid JSON
def output_guardrail(response: str) -> bool:
try:
data = json.loads(response)
return "answer" in data and "confidence" in data
except json.JSONDecodeError:
return False
# Pipeline
def chat_with_guardrails(user_input: str) -> str:
if not input_guardrail(user_input):
return "Sorry, I can't process that request."
raw_response = llm_call(user_input)
if not output_guardrail(raw_response):
return "The assistant couldn't generate a valid response. Try again."
return raw_responseOption 2: Guardrails AI (framework)
The guardrails-ai library lets you define rules as reusable validators:
pip install guardrails-aiInstall a validator from the Guardrails Hub and attach it to a Guard:
from guardrails import Guard
from guardrails.hub import ValidJSON # guardrails hub install hub://guardrails/valid_json
# Attach one or more validators to the Guard
guard = Guard().use(ValidJSON(on_fail="exception"))
# Validate the LLM output: re-asks or raises if it isn't valid JSON
result = guard.parse(llm_output)
print(result.validation_passed)If the output fails validation, Guardrails AI can automatically retry the LLM call with a correction message until a limit is reached.
Warning: Automatic retries consume tokens and increase latency. Set a reasonable limit (3-5 retries max) and monitor how often corrections occur.
Option 3: NeMo Guardrails (NVIDIA)
NVIDIA's NeMo Guardrails is designed for complex conversational flows using "colang", a domain-specific language for defining dialogues:
# Define a topic rail
define user ask about politics
"What do you think about [politics]?"
define bot refuse politics
"I don't have opinions on political topics."
# Connect rail
when user ask about politics
bot refuse politicsfrom nemoguardrails import LLMRails, RailsConfig
config = RailsConfig.from_path("config.yml")
rails = LLMRails(config)
response = rails.generate(
messages=[{"role": "user", "content": "What do you think of the new president?"}]
)
# The model will respond with the predefined message, not its real opinionPro Tip: NeMo shines when you need fine-grained conversational control (branching dialogues, forbidden topics, roles). Guardrails AI is better for data format validation (JSON, XML, types).
When to use it / when not to
| ✅ Use it when | ❌ Don't use it when |
|---|---|
| The LLM is exposed to end users | Only you use the model internally and know its limits |
| You handle sensitive data or PII | The use case is single-turn with no risk |
| You need to comply with regulations (GDPR, HIPAA, SOC2) | A simple if/else check suffices |
| The model may drift off-topic | The prompt is hardcoded with no external input |
| You need to guarantee a specific output format | The latency and maintenance cost outweighs the risk |
Pro Tip: Start with minimal guardrails (just output validation) and add layers as you see failures in production. Don't over-engineer from day one.
History and evolution
View history
The concept of guardrails in AI naturally emerged from content moderation systems already in use on social media. As LLMs became accessible via API (2022-2023), companies noticed that models could be manipulated (prompt injection) or generate problematic content.
In 2023, NVIDIA released NeMo Guardrails as one of the first dedicated frameworks. Shortly after, Guardrails AI (formerly Guardrails Hub) appeared, creating a community repository of reusable validators. Model providers also added native layers: OpenAI launched its Moderation API, Anthropic introduced constitutional mode, and Google included safety settings in Gemini.
Today the pattern is maturing toward interoperable standards, with companies adopting multi-layer validation pipelines and frameworks like Guardrails AI integrating with observability systems (LangSmith, Weights & Biases) to monitor which validations fail and why.