How is a guardrail different from an evaluator?

An evaluator scores output for offline analysis or dashboards; a guardrail enforces policy synchronously in the request path. The same detector. for example, PromptInjection. can run as either, depending on whether you want to log or block.

How do you measure guardrail effectiveness?

Track block-rate, false-positive rate against a labeled cohort, and end-to-end latency added to requests. FutureAGI exposes these as metrics on the Agent Command Center pre-guardrail and post-guardrail surfaces.

What Is an AI Guardrail? Definition & FutureAGI Guide (2026)

Q: What is an AI guardrail?

An AI guardrail is a runtime check sitting in front of or behind an LLM call that blocks, rewrites, or escalates requests and responses violating a safety, security, or compliance policy.

What Is an AI Guardrail?

An AI guardrail is a runtime policy check that intercepts an LLM input or output and decides. in milliseconds. whether to allow, block, rewrite, or escalate it. Pre-guardrails inspect inputs for prompt injection, PII, and jailbreak patterns before the model sees them. Post-guardrails inspect outputs for toxicity, leaked PII, off-topic answers, and hallucinated facts before the user sees them. Guardrails run inside the AI gateway as a chain of deterministic detectors and judge-model classifiers. In FutureAGI, they ship as a first-class primitive inside Agent Command Center. They are how production LLM systems enforce safety synchronously in 2026, not after a user has already filed a complaint.

Why guardrails matter in production LLM and agent systems

Without guardrails, every prompt your users send is a direct line to your model. and so is every output. The failure modes compound quickly. A user pastes an indirect prompt-injection payload from a webpage; your retrieval-augmented agent reads it as instructions and exfiltrates the system prompt. A finance assistant outputs a customer’s social-security number because the upstream context window pulled in a CRM record. A support bot tells a user to “just ignore” their medication, and the team finds out via Twitter. A legal-tech agent quoted a fabricated case citation because no groundedness post-guardrail blocked the response.

The pain is cross-functional. SREs see latency tail spikes when a misbehaving agent loops. Compliance teams field SAR requests for a model that “may have processed” PII with no enforcement record. Product managers ship a feature that gets pulled in 48 hours because one screenshot of a toxic output goes viral. Engineering teams patch with prompt edits, which works for a week.

In 2026-era agent systems, the surface area is much larger than in 2023. Agents call tools, agents call other agents via A2A, agents discover new tools via MCP, and indirect injection through retrieved documents or MCP tool outputs is now the dominant attack vector. not direct user prompts. A guardrail layer that only inspects the top-level user message catches roughly nothing of this. Production needs guardrails at every model boundary in the trajectory: pre-input, post-retrieval, pre-tool-call, post-output. The 2026 threat model also added a new class. system_prompt_extraction_via_tool_response, where a malicious MCP server returns instructions disguised as data. that didn’t exist when LangChain shipped its first guardrail pattern.

The 2026 regulatory pressure changed the bar too. EU AI Act enforcement began in 2026 for high-risk systems; HIPAA, SOC 2, and ISO 42001 audits now ask for “evidence of runtime policy enforcement,” not just policy documents. The OWASP LLM Top 10 (2025) and the NIST AI Risk Management Framework are the two reference checklists most security teams now map their guardrail coverage against. A block decision with an audit log is evidence; “the prompt told the model to refuse” is not.

The 2026 guardrail surface map

A senior engineer should know which guardrails run where, and what they catch. Run them as a chain, not a single detector.

Stage	Detector	Catches	Typical latency
Pre-input	`ProtectFlash`	Lightweight prompt-injection patterns	20-50 ms
Pre-input	`PromptInjection`	Full judge-model injection check (direct + indirect)	80-200 ms
Pre-input	`PII`	Sensitive identifiers in user input	30-80 ms
Pre-input	`Toxicity`	Toxic user input	30-80 ms
Post-retrieval	`PromptInjection`	Indirect injection in retrieved documents or MCP tool responses	80-200 ms
Pre-tool-call	`CustomEvaluation` (policy)	Tool-call authorization, parameter sanity	40-100 ms
Post-output	`PII`	Leaked PII in output	30-80 ms
Post-output	`ContentSafety` / `ContentModeration`	Harmful content categories	50-120 ms
Post-output	`Groundedness`	Unsupported claims in RAG output	100-300 ms
Post-output	`AnswerRefusal` / `IsHarmfulAdvice`	Inappropriate refusal or harmful advice	80-200 ms
Post-output	`ClinicallyInappropriateTone` (healthcare)	Tone violations on medical responses	100-200 ms
Audit	All	Full request/response/decision log	Async

The cumulative latency budget for a full pre+post chain in 2026 production is usually 250-500 ms p99. Beyond that, product teams disable guardrails. Stage them: cheap deterministic detectors first, judge-model checks second, and parallelize where the chain allows.

How FutureAGI handles AI guardrails

FutureAGI’s approach is to ship guardrails as a first-class primitive inside Agent Command Center, our LLM gateway, rather than a sidecar service. You configure two stages on any route: a pre-guardrail chain that runs before the upstream model call, and a post-guardrail chain that runs on the response. Each stage is an ordered list of detectors. ProtectFlash for low-latency prompt-injection screening, PromptInjection for the full judge-model check, PII for personal-data leak detection, ContentSafety for harmful content, ContentModeration for category-level moderation, and a CustomEvaluation for product-specific policy.

Each detector returns a pass/fail with a reason. On fail, the gateway applies a configurable action: block returns a fallback response and logs the violation, redact rewrites the offending span (useful for PII), escalate routes the request to a human-in-the-loop queue exposed as fi.queues.AnnotationQueue. Audit logs capture the full request, response, detector chain, and decision. that record is what your compliance program reads, not the raw conversation.

A real example: a healthcare team routes user messages through pre-guardrail: [ProtectFlash, PromptInjection, PII] and model output through post-guardrail: [PII, ClinicallyInappropriateTone, NoHarmfulTherapeuticGuidance, ContentSafety, Groundedness]. When PII fires on output, the gateway redacts the offending tokens before the response leaves the boundary. When Groundedness fires, the response is replaced with a fallback (“I don’t have information to answer that confidently”) and the request is queued for review. The same fi.evals classes run as offline regression-eval checks against the golden dataset, so you can confirm a guardrail change didn’t regress anything before you flip it on in production.

Unlike NVIDIA NeMo Guardrails, which require a Colang flow per policy and run as a separate service, or Guardrails AI’s spec-driven validators which focus on output schema, FutureAGI runs detectors as plug-in evaluators inside the gateway, so swapping policy is a config change, not a refactor. Unlike Lakera Guard which focuses primarily on prompt-injection at input, FutureAGI’s stack covers the full pre/post surface and indirect injection in retrieved content and MCP tool responses. FutureAGI gives you the controls and the signals; the policy itself stays yours to define.

In our 2026 evals across healthcare, fintech, and legal-tech customers, we’ve found that the single most impactful guardrail addition is not a new detector. it is a post-retrieval PromptInjection check on every document chunk before it enters the model context. Indirect injection through retrieved content is the dominant 2026 attack vector, and most teams instrument only the user input. Public safety benchmarks anchor what “good” looks like: Gray Swan’s AgentHarm (110 harmful agent tasks across 11 categories) shows frontier agents still complete 30-50% of jailbroken harmful tasks without guardrails, HarmBench (510 adversarial prompts across 7 categories) reports attack success rates of 20-60% on undefended models, and FutureAGI’s own PHARE benchmark adds a multi-modal extension. The agent-specific evaluation suites AgentDojo and InjecAgent round out the 2025-2026 reference set for indirect-injection coverage. On RAGTruth’s 18K labeled chunks the median frontier RAG pipeline fails groundedness on 5-8% of answers. a Groundedness post-guardrail is the standard fix.

Guardrails vs evaluators. the same detector, two surfaces

The line that confuses most teams: an evaluator and a guardrail can be the exact same class. PromptInjection running offline against your golden dataset is an evaluator. The same PromptInjection running inline at the gateway is a guardrail. The choice is operational, not architectural:

Run as evaluator when the goal is offline analysis, a dashboard, a release-gate score, or a regression-eval signal.
Run as guardrail when the goal is to block, redact, or escalate a live request before damage.

Use both in parallel. The evaluator gives you trend data over weeks and cohorts; the guardrail gives you real-time enforcement. FutureAGI exposes the same fi.evals class for both modes. switching from one to the other is a config change, not a different SDK.

MCP and A2A: the new guardrail boundaries

The 2026 protocols changed the threat model. With MCP, agents discover tools at runtime from external servers. With A2A, agents call other agents as tools. Each protocol introduces a new boundary where a guardrail must run:

MCP tool discovery. when a new tool appears in the catalog, validate its schema and description with a ProtectFlash check. A malicious MCP server can register a tool whose description is itself an injection payload.
MCP tool response. every tool response coming back to the model should run through a post-retrieval PromptInjection and PII chain before it enters the model context.
A2A agent invocation. when agent A calls agent B, the prompt to B is an attack surface. Run pre-guardrails on every cross-agent message.
A2A response. when B returns to A, the response is untrusted content. Run post-guardrails before A consumes it.

In 2026, the guardrail surface is no longer “user → model → user”. It is a multi-agent, multi-protocol graph where every edge needs enforcement. Skipping any one edge undoes the others.

Guardrails and the simulate-sdk workflow

Guardrail config changes are deploys, and like any deploy they regress. The pattern that prevents regressions:

Maintain an adversarial set inside fi.datasets.Dataset. labeled injection attempts, PII payloads, toxic prompts, jailbreak patterns. ~500-2,000 rows.
Use simulate-sdk Persona and Scenario to generate fresh adversarial traffic monthly; promote validated attacks into the dataset.
Before any guardrail config flip, run the adversarial set against the candidate chain. Block-rate must not drop and false-positive rate must not rise.
Promote with Agent Command Center traffic-mirroring; observe a 5% slice for 48 hours before full cutover.

This is the workflow that turns guardrails from “we have detectors” into “we have provable enforcement.”

The guardrail latency budget, in detail

A 2026 guardrail chain has to be fast or it gets disabled. Here is the budget that works in production across the customer base we see:

Pre-input chain: 80-200 ms p99 total. ProtectFlash (20-50 ms) + PII (30-80 ms) + PromptInjection deep judge (80-200 ms, parallelized).
Post-retrieval chain (RAG/agent): 100-300 ms p99. Indirect-injection PromptInjection (80-200 ms) on each chunk in parallel.
Pre-tool-call chain: 40-150 ms. Policy CustomEvaluation plus parameter sanity.
Post-output chain: 200-500 ms p99. PII redaction (30-80 ms) + ContentSafety (50-120 ms) + Groundedness (100-300 ms) + AnswerRefusal (80-200 ms), parallelized where possible.
Total p99 added latency: 250-600 ms for a full chain on a high-stakes route.

Three patterns to stay inside this budget: (1) parallelize judge-model checks where independent, (2) put cheap deterministic detectors first so the chain can short-circuit on clear violations, (3) use lightweight judge models (Haiku 4.5, Gemini 3 Flash) for inline checks and heavy models only for offline gate evaluation.

Per-vertical guardrail recipes

Three vertical recipes we see working in 2026:

Healthcare assistant. pre: [ProtectFlash, PromptInjection, PII]. Post: [PII, NoHarmfulTherapeuticGuidance, ClinicallyInappropriateTone, ContentSafety, Groundedness]. Escalation on Groundedness failure, block on NoHarmfulTherapeuticGuidance failure, redact on PII failure. Audit retention 7 years.

Fintech support agent. pre: [ProtectFlash, PromptInjection]. Pre-tool-call: [CustomEvaluation(authorization_check), ParameterValidation]. Post: [PII, AnswerRefusal, IsHarmfulAdvice, ContentSafety]. Block on IsHarmfulAdvice, queue on AnswerRefusal false positives. Audit retention 5 years.

Legal-tech research assistant. pre: [PromptInjection]. Post-retrieval: [PromptInjection] on every chunk. Post: [Groundedness, AnswerRefusal, NoLLMReference, CitationPresence]. Block on Groundedness failure with strict threshold; legal answers without citation get blocked. Audit retention 10 years.

The structure is shared; the detectors and thresholds change by stakes.

How to measure or detect guardrail effectiveness

Guardrail health is a set of operational metrics, not a single score:

ProtectFlash block-rate. fraction of requests blocked by the lightweight pre-guardrail. Sudden spikes usually mean an injection campaign or a broken upstream prompt.
PromptInjection fire-rate by source. split direct (user input) and indirect (retrieved content, MCP response) injections. The indirect rate is what most teams miss.
PII post-guardrail fire-rate. output redaction count per 1K requests. Should be near-zero on healthy routes; any drift signals context-window leakage.
End-to-end p99 latency added. measure with-vs-without the guardrail chain. Acceptable budgets are usually 50-150 ms for pre and 100-250 ms for post.
False-positive rate. sample blocked requests, label them, compute precision against the labeled cohort. Guardrails that block 4% of legitimate traffic get disabled by product teams.
False-negative rate. sample passed requests with negative user feedback, label which should have been blocked; the inverse calibration.
Audit-log completeness. every blocked request has a logged reason and decision; missing rows mean your compliance evidence has gaps.
ContentSafety category breakdown. block reasons grouped by category (violence, sexual, self-harm, hate). Sudden category-specific spikes indicate a new attack pattern or a model drift.
Escalation queue depth. fi.queues.AnnotationQueue items pending review; long queues mean your guardrails are over-blocking or your review capacity is undersized.

from fi.evals import ProtectFlash, PromptInjection, PII

pre = ProtectFlash()
deep = PromptInjection()
post_pii = PII()

if pre.evaluate(input=user_msg).score == "Failed":
    return BLOCK
if deep.evaluate(input=user_msg).score == "Failed":
    return BLOCK

Pair the same classes in regression-eval mode against your golden dataset so guardrail config changes are gated, not just deployed.

For an evaluator-chain post-guardrail wired to a traceAI span. with redact, block, and escalate actions per detector. configure the chain declaratively and let the gateway emit span events for each decision:

from fi.evals import ProtectFlash, PromptInjection, PII, ContentSafety, Groundedness
from fi.gateway import Route, GuardrailChain

healthcare_route = Route(
    name="patient-assistant",
    pre_guardrail=GuardrailChain([
        ProtectFlash(action="block"),
        PromptInjection(action="block", check_indirect=True),
        PII(action="redact"),
    ]),
    post_guardrail=GuardrailChain([
        PII(action="redact"),
        ContentSafety(action="block"),
        Groundedness(action="escalate", threshold=0.85, queue="clinical-review"),
    ]),
    audit_retention_years=7,
)

response = healthcare_route.invoke(user_msg, context=retrieved_chunks)

Auditability: the part that gets pulled in regulator meetings

In 2026 the audit trail is the deliverable, not a side effect. Every blocked, redacted, or escalated request needs a record that includes:

The full input as received by the gateway
The detector chain run, in order
Each detector’s pass/fail and reason string
The final action (allow, block, redact, escalate)
The fallback response or redacted output
A timestamp and request identifier
The model variant via gen_ai.request.model

Retention windows vary by vertical: HIPAA requires 6 years minimum for healthcare data; financial regulators want 5-7 years; EU AI Act high-risk systems require 10 years on decision logs. FutureAGI writes audit logs to a cold-tier store from day one, separately from the operational trace stream, so retention is decoupled from observability cost.

Three patterns that make audits go smoothly:

Hash the input, store the input. Hashing alone is not enough for a regulator who wants to see the exact prompt that triggered a block. Store with encryption-at-rest.
Pin detector versions. When a guardrail config changes, freeze the previous version so old audit records can be replayed against the policy that was actually in force at the time.
Separate access logs from decision logs. Who queried the audit data is itself an audit event.

Guardrails for voice agents

Voice AI agents introduce a guardrail surface not present in text: the user can be interrupted, the agent can fail to detect end-of-turn, and the audio response can carry inappropriate prosody even if the text is fine. The pre and post guardrail stack extends:

Pre (audio). ASRAccuracy on transcription, then standard text guardrails on the transcript.
Post (audio). AudioQualityEvaluator, TTSAccuracy, plus a tone guardrail like IsInformalTone or ClinicallyInappropriateTone for the synthesized output.
Conversation-level. CustomerAgentInterruptionHandling, CustomerAgentTerminationHandling, CustomerAgentLoopDetection running per turn.

The latency budget for voice guardrails is much tighter. voice users notice 300 ms gaps. Most teams ship voice with lighter inline guardrails and heavier offline regression checks via simulate-sdk LiveKitEngine.

Common mistakes

Running only post-guardrails. If you let a malicious prompt reach the model, you have already paid for the inference and risked tool execution. Pre-guardrails are cheaper and safer.
No post-retrieval injection check. Indirect prompt injection through retrieved documents and MCP tool responses is the dominant 2026 attack vector. The user input is no longer the only threat surface.
One detector, one threshold, no review. Guardrails drift as user behavior shifts; sample blocked traffic weekly, label, and retune.
Treating block-rate as the success metric. A guardrail blocking 30% of traffic is broken, not effective. Pair with false-positive rate.
Hard-coding guardrail logic into the application. Once it’s in three services, you cannot update policy without three deploys; centralize it in the gateway.
No human-in-the-loop escalation for ambiguous cases. Guardrails should escalate on uncertainty, not silently block. Wire the queue and staff it.
Using the same model for both production and judging. Self-judging by the same family inflates pass rates by several points. Pin the judge model out-of-family.
No audit-log retention strategy. EU AI Act, HIPAA, and SOC 2 audits in 2026 ask for guardrail decisions over the past 12-24 months. Cold-tier storage from day one is cheaper than retroactive reconstruction.