AI

AI Guardrails: Keeping LLM Apps Safe and Reliable in Production

Tackxel Team21 May 202611 min read
AI Guardrails: Keeping LLM Apps Safe and Reliable in Production

The phrase "AI guardrails" gets used loosely enough that it's worth being honest about what it actually means. It's not a content filter. It's not a system prompt that says "be helpful and harmless." It's the engineering layer that decides what your AI product is allowed to do, what it's required to do, and how it behaves when those expectations meet adversarial users, malformed inputs, model drift, and the long tail of edge cases nobody anticipated. Without it: liability, embarrassment, and the kind of incident that ends up on Hacker News at 2am.

We build guardrails into every AI product we ship — including Lexa, Pakistan's first AI legal chatbot, where the cost of an ungrounded "you should sue your neighbour" response isn't theoretical. This post is the practical engineering view: the three layers of guardrails, what each catches, how to think about cost vs coverage, and where the tools fit.

Why guardrails matter more than you think

A research demo can do almost anything. A production AI product can't. The difference is the surface area: a demo lives in a closed room with friendly questions; a production system lives in the open with users who'll deliberately try to break it. The model is identical. The thing that changes is everything around it.

Real situations where guardrails are the difference between shipping and not:

  • A customer-service chatbot that "agreed" to refund a non-existent order because the user phrased the request authoritatively.
  • A legal AI that confidently gave a specific interpretation of a statute it had no business interpreting.
  • An internal AI that leaked PII into logs because output formatting wasn't enforced.
  • A code-suggesting copilot that recommended a vulnerable library because the prompt asked for "the simplest one."

In each case, the model wasn't broken. The wrapping was missing. That wrapping is what guardrails are.

The three layers of guardrails

A production guardrail stack has three layers. Most teams build one or two and skip the third.

Layer 1 — input guardrails

Before the model sees the user's input, you check it. What gets caught here:

  • Prompt injection. Users embedding instructions in their input that try to override the system prompt. ("Ignore all previous instructions and...") A simple classifier or regex catches the obvious cases; a stronger guard model handles the subtle ones.
  • Off-topic / out-of-scope queries. A legal AI shouldn't try to answer "what's the best Italian restaurant in London." A topic classifier or a small LLM-as-judge call routes these to a polite refusal before they reach the main model.
  • Abuse, harm, and disallowed content. A toxicity classifier or a safety filter (your provider's built-in moderation, or an open-source equivalent).
  • Malformed inputs. Empty messages, absurd lengths, encoding tricks, repeated characters designed to drain the budget.

Input guardrails are cheap and catch most of the obvious cases. They're also the layer most often skipped because the team assumes the system prompt will handle it. The system prompt is not a guardrail. It's a request.

Layer 2 — output guardrails

After the model produces a response, before that response reaches the user, you check it. What gets caught here:

  • PII or sensitive data leakage. A redaction layer that catches phone numbers, email addresses, account numbers, or domain-specific identifiers the response shouldn't contain.
  • Format adherence. If the response is supposed to be structured JSON, validate the schema. If it's supposed to cite sources, validate the citations exist. Reject and retry on failure.
  • Factual claims against ground truth. For grounded systems, verify that asserted facts trace back to retrieved context. The single most effective hallucination guard for RAG systems.
  • Toxicity / safety on output. A safety classifier — a small one is fine — running on every generated response.
  • Domain-specific rules. A legal AI checking that responses contain an appropriate disclaimer; a medical AI checking that diagnostic claims aren't asserted; a financial AI checking that responses include a "not financial advice" line where required.

Output guardrails are where most of the regulatory and brand risk gets caught. They're also where the latency-vs-coverage trade-off bites hardest — each check adds time. The discipline is choosing which checks are cheap and run every time, and which are expensive and sampled.

Layer 3 — behavioural constraints

The architectural and prompt-level decisions that shape how the model behaves before any specific input/output even happens. This includes:

  • A tight, well-scoped system prompt that defines what the AI is and isn't, what tone it uses, when it refuses.
  • A small, well-typed tool catalogue (for agents) — too many tools and the model misuses them.
  • Refusal logic — explicit handling for the categories the AI shouldn't engage with, with graceful fallback to a human or a help article rather than a flat "I can't help."
  • Escalation paths — when the system can't confidently answer, it knows how to hand off (route to a human, surface a help article, log for human review).

Layer 3 is the design layer of guardrails. Done well, it makes Layers 1 and 2 simpler.

A concrete example: how Lexa handles "Should I sue my neighbour?"

A user asks: "My neighbour's tree fell on my fence. Should I sue him for £5,000?"

What a naive legal chatbot does: gives a confident, specific answer, possibly invents a section of law, and now your product is liable for advice it had no business giving.

What Lexa does:

  1. Input guardrails flag this as a request for specific legal advice on an actionable matter — not just a question about the law.
  2. System prompt instructs the model to provide general guidance on the relevant area of law (in this case, neighbour disputes / nuisance / property damage), not a recommendation for a specific course of action.
  3. RAG retrieval pulls the relevant sections of the actual legal corpus so the answer is grounded.
  4. Output guardrails check that the response includes the appropriate disclaimer ("this is general information, not legal advice; consult a lawyer for your specific situation"), that citations point to real legal text, and that no specific monetary or jurisdictional recommendation is given.
  5. Escalation path offers a clear next step: "if you'd like specific advice for your situation, here's how to find a qualified lawyer."

The user gets useful, accurate, general guidance. The system stays within its competence. The product stays out of liability territory. This is what guardrails buy you. (We dug into the design and UX side of this in designing for trust.)

Open source vs custom — the tooling landscape

A few options worth knowing about as of mid-2026:

  • Guardrails AI. Open-source framework for input/output validation with a growing library of pre-built validators. Useful starting point.
  • Lakera Guard. Strong commercial option for prompt-injection defence and PII handling.
  • NeMo Guardrails (NVIDIA). Programmable guardrail framework using a dialogue-flow DSL. Heavier weight; useful where you want explicit conversational control flow.
  • Provider-native moderation. OpenAI, Anthropic, Google all offer some level of built-in safety filtering. Useful as a baseline; not sufficient on its own.
  • Custom. For most production systems we end up writing some custom guardrail logic specific to the domain — there's no off-the-shelf rule that knows what a legal disclaimer should look like for your jurisdiction.

There's no single right answer; the right stack is usually open-source + provider-native + custom rules for your domain.

The cost trade-offs

Every guardrail layer adds latency and cost. Honest engineering choices:

  • Run cheap checks every time. Regex-based PII redaction, toxicity classifier, schema validation. Single-digit milliseconds.
  • Run expensive checks where they earn their keep. LLM-as-judge factuality validation against retrieved context: maybe on every response for high-stakes; maybe sampled at 10% for low-stakes plus full on flagged ones.
  • Stream the response with progressive checks. Run lightweight checks during generation, full checks at end of stream.
  • Cache aggressively. Many guardrail checks are deterministic — cache the results.

And measure the trade-off: false positive rate, false negative rate, p95 latency added per check, cost per check. Treat guardrails as a feature with metrics, not a moral commitment. (The broader eval picture is in our LLM evaluation guide.)

What we'd tell anyone shipping a guardrailed AI feature

  • Build all three layers, even if shallow at first.
  • Treat the system prompt as the design surface, not the safety net.
  • Validate output against retrieved context for any grounded system.
  • Refuse loudly, not silently. Bad outputs hidden are worse than visible declines.
  • Measure your guardrails. Track false positives and negatives.
  • Plan for model drift. The same prompt against a new model behaves differently.

This is the standard we hold every AI integration we ship to — not as paperwork, but as the engineering that decides whether the product survives contact with real users.

FAQ

Are guardrails just system prompts? No. The system prompt is the behavioural intent. Guardrails are the engineering that enforces that intent. Both matter; they're different things.

Can I rely on the model provider's safety filters? For baseline safety, partly. For domain-specific behaviour (legal disclaimers, financial constraints, healthcare phrasing), you'll need your own layer. Provider safety filters don't know about your domain.

How much do guardrails add to latency? Cheap checks: a few milliseconds. LLM-as-judge checks: hundreds of milliseconds to a few seconds. Plan based on which checks need to be on every response and which can be sampled.

Will guardrails ever fully prevent jailbreaks? No. They reduce the rate dramatically; they don't eliminate it. Defence in depth — multiple cheap layers — is more robust than one heavy layer.

Where should domain-specific guardrails live? In code, version-controlled, evaluable. Domain experts should be able to see and contribute to them; engineers should be able to test them. Not in a one-off prompt that no one knows who edited last.

Building a customer-facing AI feature and need a guardrail stack that doesn't embarrass you? Book a 30-minute call — we'll review your specific risks and recommend the layers that actually pay back.

Share
All posts

Need help building this?

Tell us what you're trying to ship — a 30-minute call with the founder, no sales reps.

Book a call

Related posts

Building Production AI Agents: Architecture, Evals, and What Actually Ships
AI

Building Production AI Agents: Architecture, Evals, and What Actually Ships

Building AI agents that actually work in production — architecture, eval pipelines, failure modes, and when not to build one. From the team that ships real AI.

Read post
What is MCP (Model Context Protocol)? A Practical Guide for Product Teams
AI

What is MCP (Model Context Protocol)? A Practical Guide for Product Teams

MCP (Model Context Protocol) explained for product teams in 2026 — what it is, why Anthropic created it, when to use it, and when to skip it.

Read post
How to Evaluate LLM Outputs in Production (Eval Pipelines That Actually Work)
AI

How to Evaluate LLM Outputs in Production (Eval Pipelines That Actually Work)

How to build LLM evaluation pipelines that catch real production issues — deterministic, LLM-as-judge, human evals. Techniques from shipping real AI.

Read post