defending-llms-with-guardrails
Defending LLMs with Guardrails
Defensive scope: This skill describes runtime defenses for production LLM applications. The example jailbreak/injection payloads exist only to validate that guardrails block them. Test against systems you own or are authorized to assess.
Overview
Large language model (LLM) applications are exposed to adversarial input (jailbreaks, prompt injection, toxic content) and can emit unsafe, biased, or sensitive output. A guardrail is a runtime control that inspects and constrains the data flowing into and out of an LLM. Three production-grade, open-source guardrail systems dominate the ecosystem and are complementary rather than mutually exclusive:
- Llama Guard 3 (Meta) — a Llama-3.1-8B model fine-tuned as a safety classifier. Given a prompt or a response, it emits
safeorunsafeplus the violated MLCommons hazard categories (S1–S14). It is the strongest semantic content-safety classifier of the three and supports prompt classification, response classification, and tool-call/code-interpreter classification across 8 languages. - NeMo Guardrails (NVIDIA) — a programmable dialogue-rail framework. You define
input,output,dialog,retrieval, andexecutionrails in aconfig.ymlplus Colang (.co) flows. It can call external models (including Llama Guard) as actions, enforce topical boundaries, and add fact-checking/jailbreak-detection rails. - LLM Guard (Protect AI) — a scanner pipeline with 15 input scanners and 20 output scanners (PromptInjection, Toxicity, Anonymize/Deanonymize, Secrets, BanTopics, Sensitive, Regex, etc.). It returns a sanitized string, a validity flag, and a risk score per scanner, making it ideal for a deterministic pre/post pipeline.
This skill maps to MITRE ATLAS AML.T0054 — LLM Jailbreak: the guardrail layer is the mitigation that detects and blocks jailbreak/injection attempts before they reach (or after they leave) the model.