Coding 4 Bread
Back to blog
llmai-safetyguardrailsresponsible-ai

LLM Engineering: Implementing Guardrails for Responsible AI

If you're building anything with LLMs right now, guardrails aren't optional — they're table stakes. Interviewers are asking about this. Production incidents are happening because of this. And…

LLM Engineering: Implementing Guardrails for Responsible AI

If you're building anything with LLMs right now, guardrails aren't optional — they're table stakes. Interviewers are asking about this. Production incidents are happening because of this. And frankly, shipping an AI feature without safety controls is the kind of thing that ends careers and tanks trust in your product overnight.

Let's talk about what guardrails actually are, how to implement them, and what patterns hold up in production.

Why Guardrails Matter (And Why They're Harder Than They Look)

LLMs are probabilistic systems. They don't *know* rules — they *approximate* patterns. That means even a well-prompted model can be coaxed into generating harmful content, leaking system prompt details, confidently hallucinating facts, or going wildly off-topic.

The failure modes are real:

  • A customer support bot that starts giving medical or legal advice it shouldn't
  • A code assistant that generates insecure snippets with hardcoded credentials
  • A chatbot that can be jailbroken into ignoring its persona with a clever prompt

    • Guardrails are the layer of controls you put around LLM calls to catch these failures before they hit your users. Think of them as input validation and output sanitization — concepts you already know from traditional software, applied to a much messier domain.

    The Two Layers: Input and Output

    Every guardrail system has two sides.

    Input guardrails screen what goes *into* the model. They catch prompt injection attempts, filter out requests for harmful content, and enforce scope (e.g., "this assistant only answers questions about our product").

    Output guardrails screen what comes *out* of the model. They validate that the response is safe, on-topic, factually structured, and doesn't contain things like PII, hate speech, or hallucinated citations.

    Most teams start with output guardrails because the damage is visible there. But input guardrails are what prevent adversarial users from manipulating your system in the first place.

    Implementing Basic Guardrails in Python

    Here's a practical pattern using a moderation check before and after the LLM call. We'll use OpenAI's Moderation API as the safety layer, but the pattern works with any classifier.

    import openai
    client = openai.OpenAI()
    def check_moderation(text: str) -> dict:
    """Returns moderation results for a given text."""
    response = client.moderations.create(input=text)
    result = response.results[0]
    return {
        "flagged": result.flagged,
        "categories": {k: v for k, v in result.categories.__dict__.items() if v}
    }
    def safe_chat_completion(user_message: str, system_prompt: str) -> str:
    # --- Input guardrail ---
    input_check = check_moderation(user_message)
    if input_check["flagged"]:
        return f"I can't help with that. Flagged categories: {list(input_check['categories'].keys())}"
        # --- LLM call ---
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[
            {"role": "system", "content": system_prompt},
            {"role": "user", "content": user_message}
        ]
    )
    output_text = response.choices[0].message.content
        # --- Output guardrail ---
    output_check = check_moderation(output_text)
    if output_check["flagged"]:
        return "I generated a response that didn't meet our safety standards. Please rephrase your question."
        return output_text

    This is the skeleton. In production you'd want logging, metrics on flag rates, and a fallback strategy — but this structure is the right starting point.

    Topic Scoping with a Classifier Guardrail

    Moderation APIs catch harmful content, but they won't stop your customer support bot from writing someone's cover letter. For scope enforcement, you need a topic classifier.

    A lightweight approach is using a second LLM call as a binary classifier:

    def is_on_topic(user_message: str, topic_description: str) -> bool:
    """Use a fast model to check if the message is within scope."""
    response = client.chat.completions.create(
        model="gpt-4o-mini",  # Use a cheaper, faster model for this
        messages=[
            {
                "role": "system",
                "content": (
                    f"You are a topic classifier. The allowed topic is: {topic_description}. "
                    "Reply with only 'YES' if the user's message is on-topic, or 'NO' if it is not."
                )
            },
            {"role": "user", "content": user_message}
        ],
        max_tokens=5,
        temperature=0
    )
    answer = response.choices[0].message.content.strip().upper()
    return answer == "YES"
    Usage
    
topic = "questions about our SaaS billing and subscription plans"
user_input = "Can you write me a poem about cats?"
    if not is_on_topic(user_input, topic):
    print("Sorry, I can only help with billing and subscription questions.")

    Using temperature=0 and max_tokens=5 keeps this fast and deterministic. The cost is minimal — you're running a tiny classification call, not a full generation.

    Structured Output Validation

    Another class of guardrail is output *structure* validation. If your LLM is supposed to return JSON, enforce it. Don't trust the model to always comply.

    import json
from pydantic import BaseModel, ValidationError
    class ProductRecommendation(BaseModel):
    product_name: str
    reason: str
    confidence_score: float  # expected between 0 and 1
    def get_validated_recommendation(user_query: str) -> ProductRecommendation | None:
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[
            {
                "role": "system",
                "content": "Return a JSON object with keys: product_name, reason, confidence_score."
            },
            {"role": "user", "content": user_query}
        ],
        response_format={"type": "json_object"}
    )
        raw_json = response.choices[0].message.content
    try:
        data = json.loads(raw_json)
        return ProductRecommendation(**data)
    except (json.JSONDecodeError, ValidationError) as e:
        print(f"Output validation failed: {e}")
        return None

    Pydantic does the heavy lifting here. If the model returns a confidence_score of "high" instead of 0.9, you catch it before it causes a runtime error downstream.

    Practical Tips From the Trenches

    Layer your defenses. No single guardrail catches everything. Use moderation APIs + topic classifiers + output validation together. Defense in depth applies here just like in security.

    Log everything you flag. Flagged inputs and outputs are gold for improving your system. You'll spot patterns — certain phrasings that keep triggering false positives, or gaps in your topic classifier's coverage.

    Tune for your false positive rate. An overly aggressive guardrail that blocks legitimate requests is also a failure. Track your flag rate and review flagged samples regularly. If 20% of normal user requests are getting blocked, your guardrail is broken.

    Use cheaper models for guardrail calls. GPT-4o-mini or similar fast models are perfectly capable of binary classification tasks. Don't burn expensive tokens on a yes/no safety check.

    Consider third-party guardrail libraries. Tools like [Guardrails AI](https://github.com/guardrails-ai/guardrails), [NeMo Guardrails](https://github.com/NVIDIA/NeMo-Guardrails), and [LlamaGuard](https://ai.meta.com/research/publications/llama-guard-llm-based-input-output-safeguard-for-human-ai-conversations/) give you pre-built validators and safety classifiers. You don't have to build all of this from scratch.

    Next Steps

    Here's what to do with this:

  • Audit your current LLM calls. Do you have *any* input or output validation? If not, start with the moderation check pattern above — it takes 30 minutes to add.

  • Define your scope explicitly. Write down what your AI feature is and isn't supposed to do. That definition becomes your topic classifier prompt.

  • Add structured output validation to any LLM call that's supposed to return structured data. Pydantic + JSON mode is a quick win.

  • Set up logging for flagged content. Even a simple database table or log file works. You need this data to improve over time.

  • Read up on NeMo Guardrails if you're building a conversational agent — it has a declarative way to define conversation flows and safety rules that scales better than ad-hoc prompt engineering.

    • Guardrails aren't a one-time setup — they're an ongoing practice. The threat landscape evolves, your users find new edge cases, and your product scope changes. Treat your safety layer like any other production system: monitor it, iterate on it, and take it seriously.