Guardrail

A policy-enforcement primitive that constrains an AI agent's input or output at runtime — content filters, denied-topic lists, PII redaction, prompt-injection detection, output validation, jailbreak detection. Guardrails sit between the agent's foundation model and either the user (input guardrails) or downstream systems (output guardrails) and trigger refusal, redaction, or escalation when policy is violated.

Guardrails are necessary but not sufficient. Vendor-shipped guardrails (Bedrock Guardrails, Azure Content Safety, OpenAI Moderation, Salesforce Trust Layer) cover the obvious failure modes — explicit content, PII leakage, jailbreak prompts. They do not cover the deployment-specific failure modes — domain-specific output validation, business-rule violations, integration-boundary checks. The right posture is treating vendor guardrails as the floor, not the ceiling, and adding deployment-layer policy enforcement on top for everything the vendor's filter isn't designed to catch.

Related frameworks

• GAUGE →
• MTTD-for-Agents →

Articles that analyse this term

• Agent observability stack: the four layers production agentic-AI actually needs (and what each one misses)
• OWASP Agentic AI Top 10: the enterprise walkthrough
• EchoLeak and the cross-agent prompt-injection class

Primary sources

• AWS. Bedrock Guardrails (documentation)
• OWASP. Top 10 for LLM Applications — LLM06 Excessive Agency