guardrails

Frameworks and rule engines that enforce safety, correctness, and policy constraints on LLM outputs at runtime using declarative rules, validators and interceptors; e.g., NVIDIA NeMo Guardrails defines grammars, safety policies and response validators to block or transform harmful, unsafe, or out-of-scope responses before delivery.

guardrails

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

This work addresses the challenge of maintaining consistency between safety operation rules and actual system behavior in cyber-physical systems, where rules must be continuously refined as environments evolve. Such refinement must adhere to domain-specific syntactic constraints while avoiding semantic inconsistencies or overfitting. The paper proposes a language-model-in-the-loop optimization framework that integrates counterfactual reasoning with syntactic constraints to iteratively refine safety rules. Evaluated in an autonomous driving control system, the approach successfully corrects inconsistent rules generated by conventional methods, ensuring both syntactic validity and behavioral alignment. Large-scale experiments further demonstrate that the choice of large language model critically influences correction quality, offering a novel paradigm for high-assurance safety verification.

cyber-physical systemsgrammar-constrained refinementlanguage-in-the-loop

Despite post-training alignment, current large language models (LLMs) remain vulnerable to safety risks, necessitating coordinated input- and output-side safeguards. To address this, we propose Roblox Guard 1.0—a Llama-3.1-8B-Instruct-based instruction-tuned model featuring a novel taxonomy-adaptive joint moderation mechanism that enables zero-shot generalization to unseen safety categories. We further design a multi-stage LLM moderation pipeline integrating chain-of-thought reasoning and input inversion to enhance contextual understanding and decision robustness. Additionally, we introduce RobloxGuard-Eval, a new benchmark with an extensible safety taxonomy. Experiments demonstrate that Roblox Guard 1.0 significantly improves detection of emerging safety threats across diverse domains. RobloxGuard-Eval establishes the first standardized, extensible evaluation framework for assessing LLM safety guardrails.

Enhances LLM safety via input-output moderationEvaluates moderation frameworks with extensible benchmarksGeneralizes across unseen safety taxonomies

Existing evaluation benchmarks struggle to assess large language models’ ability to autonomously adhere to implicit regulatory compliance in high-stakes scenarios. This work proposes the first compliance evaluation framework that integrates regulatory semantics with program generation: it translates unstructured regulations into Linear Temporal Logic (LTL) oracles and, combined with logic-guided fuzz testing, introduces LogiSafetyGen—a method for synthesizing program trajectories that jointly satisfy functional objectives and safety constraints. The authors further construct LogiSafetyBench, a benchmark comprising 240 human-validated tasks. Evaluation across 13 state-of-the-art large language models reveals that while increasing model scale improves functional correctness, it concurrently leads to a significant rise in compliance failures, highlighting the current limitations of these models in safety-critical applications.

implicit ruleslarge language modelsregulatory compliance

Qwen3Guard Technical Report

Oct 16, 2025
HZ
Haiquan Zhao
🏛️ Qwen Team

Existing safety guardrail models suffer from two key limitations: (1) they produce only binary safety labels, lacking flexibility to accommodate varying safety tolerance thresholds across application scenarios; and (2) they rely on post-hoc detection, rendering them incompatible with streaming inference and real-time intervention. This paper introduces a multilingual, scalable generative safety guarding framework that pioneers a dual-mode architecture: (i) ternary classification—“safe,” “controversial,” or “unsafe”—and (ii) token-level streaming detection. Fine-tuned via instruction tuning, the framework enables fine-grained policy adaptation, while an integrated lightweight classifier head ensures low-latency online monitoring. The model family spans 0.6B–8B parameters and supports 119 languages. It achieves state-of-the-art performance on English, Chinese, and multilingual safety benchmarks. All models are released under the Apache 2.0 license.

Binary safety labels cause inconsistent policy interpretation across domainsCurrent models lack real-time safety monitoring during text generationExisting guardrails require complete outputs, preventing streaming intervention

This work proposes a modular and configurable safety framework to address critical security and ethical risks associated with large language models (LLMs), including privacy leakage, generation of misinformation, and malicious misuse. The framework employs an adaptive sequence scheduling mechanism to dynamically integrate trustworthy components—such as content filtering, behavioral constraints, and context-aware controls—into a flexible guardrail architecture. This approach enables real-time, context-sensitive ethical and safety oversight of model outputs, effectively mitigating the generation of harmful, factually inaccurate, or privacy-sensitive content. By doing so, it significantly enhances the safety, regulatory compliance, and deployment adaptability of LLMs in real-world applications.

ethical concernsguardrailsLarge Language Models

Latest Papers

What's happening recently
View more

Existing automated tool-calling systems often suffer from insufficient generalization due to model-centric designs and heavy reliance on prompting, leading to recurrent failures such as unsafe side effects, invalid parameters, uncontrolled retries, and sensitive data leakage. This work proposes a model-agnostic, policy-first framework for tool orchestration that enforces permission control prior to invocation, enhancing safety through explicit constraints, risk-aware gating, recovery mechanisms, and auditable explanations. Key contributions include a policy-first paradigm for tool workflows, a lightweight domain-specific language (DSL) for policies, a runtime execution engine, and a reproducible safety benchmark based on trajectory replay. In 225 controlled experiments, the strictest policy configuration achieved a violation prevention rate of 0.681, reduced retry amplification to 1.378, and attained a sensitive information leakage recall of 0.875, effectively quantifying the trade-off between safety and utility.

model-agnostic safetysensitive data leakagetool-using automation

Existing guardrail systems struggle to accurately detect policy violations according to application-specific safety policies grounded in contextual nuance. This work proposes a novel context-aware policy-based evaluation paradigm and introduces SafePyramid, a hierarchical benchmark encompassing over 60,000 natural language rules across multiple domains. SafePyramid evaluates three core capabilities: single-rule comprehension, rule-dependency reasoning, and adaptation to novel policies. Through a multi-stage human-in-the-loop construction process—integrating multi-turn dialogues, fine-grained annotations, and tiered task design—the study systematically assesses ten leading large language models and five policy guardrails. Results reveal significant limitations in contextual policy execution: even the best-performing model, GPT-5.5, achieves full accuracy rates of only 54.0%, 35.3%, and 12.9% on the three respective tiers, underscoring a critical gap in current systems’ ability to reason with and apply complex, context-dependent safety policies.

in-context policy guardrailingLLM safetypolicy adaptation

Existing multilingual safety evaluation benchmarks for large language models predominantly rely on generic risk taxonomies and machine translation, which struggle to accommodate regional legal frameworks and cultural nuances. To address this limitation, this work introduces ML-Bench—the first multilingual safety benchmark grounded in jurisdiction-specific legal texts—and presents ML-Guard, a diffusion-based large language model (dLLM)–driven defense system capable of rapid safety judgments and fine-grained compliance explanations across 14 languages. By leveraging regionally regulated data generation and employing both lightweight and high-capacity conditional defense strategies, ML-Guard substantially outperforms 11 strong baselines across six established benchmarks as well as the newly constructed ML-Bench, significantly enhancing safety enforcement and compliance assessment in multilingual settings.

cultural nuancelarge language modelsmultilingual safety

This work identifies a critical failure mode in safety guardrails for large language models—termed the “deliberation-execution gap”—where models recognize harmful intent yet produce decisions that violate their own safety policies due to misalignment between reasoning and action. To address this, the authors introduce a consistency-aware framework that enforces strict adherence of safety reasoning to predefined policies through trajectory distillation from policy to decision and functional coupling alignment. This ensures that final decisions are logically and necessarily derived from compliant reasoning processes. Experimental results demonstrate that the proposed approach significantly improves performance on harmfulness detection benchmarks and substantially reduces policy execution failures, thereby validating the essential role of policy-faithful reasoning in constructing reliable safety guardrails.

deliberation-to-enforcement gapLLM guardrailspolicy execution consistency

This work addresses the critical gap in existing large language models (LLMs)—their lack of grounding in real-world regulatory frameworks, which undermines their safety and compliance capabilities. To bridge this gap, we present the first comprehensive, multi-domain safety and compliance dataset, systematically constructed to encompass 74 regulations, 12,985 structured rules, and 106,009 real-world cases spanning key domains including artificial intelligence, finance, healthcare, education, and human rights. Leveraging a web-search-based agent framework, we automatically collect and structure heterogeneous regulatory texts and their corresponding real-life instances from authoritative sources, ensuring strong alignment between rules and cases. Experimental validation confirms the dataset’s internal consistency, while large-scale benchmarking reveals fundamental limitations of current LLMs in regulatory reasoning and points toward actionable directions for improvement.

large language modelsmulti-domain regulationsreal-world cases

Hot Scholars

MK

Marina Kogan

Assistant Professor, University of Utah
Social computinghuman-centered data sciencenetwork sciencecrisis informatics
AL

Alexander Lex

Professor, Graz University of Technoloy and University of Utah
Information VisualizationVisualizationHCIVisual Analytics
AD

Aaron D. Ames

​​Bren Professor, Mechanical and Civil Engineering, Control and Dynamical Systems, Caltech
Safe ControlRoboticsAutonomyNonlinear Control
KC

Kaustav Chatterjee

Research Engineer, Pacific Northwest National Laboratory
Power System DynamicsStability and ControlWide-area MonitoringPMU Data
AC

Aaron Chan

Sahara AI
Machine LearningLarge Language ModelsAI AgentsDecentralized AI