How to Implement LLM Guardrails

In my work with organizations rolling out AI and generative AI solutions, one concern I hear repeatedly from leaders, and the c-suite is how to get a clear, centralized “AI Risk Center” to track AI safety, large language model's accuracy, citation, attribution, performance and compliance etc. Operational leaders want automated governance reports—model cards, impact assessments, dashboards—so they can maintain trust with boards, customers, and regulators. Business stakeholders also need an operational risk view: one place to see AI risk and value across all units, so they know where to prioritize governance. One of such framework is MITRE’s ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) Matrix. This framework extends MITRE ATT&CK principles to AI, Generative AI, and machine learning, giving us a structured way to identify, monitor, and mitigate threats specific to large language models. ATLAS addresses a range of vulnerabilities—prompt injection, data leakage, malicious code generation, and more—by mapping them to proven defensive techniques. It’s part of the broader AI safety ecosystem we rely on for robust risk management. On a practical level, I recommend pairing the ATLAS approach with comprehensive guardrails - such as: • AI Firewall & LLM Scanner to block jailbreak attempts, moderate content, and detect data leaks (optionally integrating with security posture management systems). • RAG Security for retrieval-augmented generation, ensuring knowledge bases are isolated and validated before LLM interaction. • Advanced Detection Methods—Statistical Outlier Detection, Consistency Checks, and Entity Verification—to catch data poisoning attacks early. • Align Scores to grade hallucinations and keep the model within acceptable bounds. • Agent Framework Hardening so that AI agents operate within clearly defined permissions. Given the rapid arrival of AI-focused legislation—like the EU AI Act, now defunct  Executive Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) AI Act, and global standards (e.g., ISO/IEC 42001)—we face a “policy soup” that demands transparent, auditable processes. My biggest takeaway from the 2024 Credo AI Summit was that responsible AI governance isn’t just about technical controls: it’s about aligning with rapidly evolving global regulations and industry best practices to demonstrate “what good looks like.” Call to Action: For leaders implementing AI and generative AI solutions, start by mapping your AI workflows against MITRE’s ATLAS Matrix. Mapping the progression of the attack kill chain from left to right - combine that insight with strong guardrails, real-time scanning, and automated reporting to stay ahead of attacks, comply with emerging standards, and build trust across your organization. It’s a practical, proven way to secure your entire GenAI ecosystem—and a critical investment for any enterprise embracing AI.

The secret to building reliable AI apps is to break non-deterministic logic into small, testable, and safeguarded units—here's how: 1. Identify the smallest units of non-determinism in your code - Let's say you're calling OpenAI multiple times—with different prompts/tools - Each LLM call is a non-deterministic unit, and it can't be broken down any further. I like to call these "Non-Deterministic Atoms" (or NDAs) 😂 Every AI block is an NDA by definition, whether it’s an ML call to predict_proba(), retrieval in RAG, or a GenAI call. 2. What’s the *minimal* input and output necessary for each NDA? - Inputs could be chat history, user messages, or any other state. - The output could be the response message and any tool calls. 💡 Tip: Make sure to make your input/output are 100% serializable—use Pydantic for Python or Zod for TypeScript. This will be useful for observability later on! 3. Build your NDA's logic - Construct the system prompt from the input parameters - Add any available tools - Call the LLM API - Parse the response and serialize it into your NDA's output format Note: The tool's logic shouldn't be part of your NDA if it's deterministic (like API calls). 💡 Tip: Use constrained decoding / structured outputs as much as possible to limit the result of the LLM (check out sglang on github, it's awesome!) 4. Add Guardrails to your NDA - Each guardrail can run on the input and/or output of your NDA - Guardrails should run both at testing time (you'll need a dataset for that), and at runtime. - Use Aporia's multiSLM engine to implement smart guardrails that can run fast at runtime. By adding guardrails to your NDA, you essentially 'reduce' the level of non-determinism, which in turn, increases its reliability.

The biggest lesson I learned after building my own LLM-powered product... 👉 LLMs hallucinate, and you are responsible for what happens next. Let me tell you exactly how... If you're building anything customer-facing with GenAI, it's not enough to get good outputs most of the time. These are 4 things I implementing early on: 1. Structured output checks 🧱 I used regex and simple schema validation to catch when the LLM went off-script, especially for things like JSON outputs or bullet lists that needed to feed into the UI. 2. Fallback logic 🔁 If the model failed validation or returned something unusable, I defaulted to templated messages or prompts with tighter constraints. Even a basic retry with a more constrained prompt can go a long way. 3. Guardrails 🛡️ I didn’t build full-on moderation pipelines, but I did include intent checks and topic restrictions to avoid unsupported questions or off-topic use cases. It helped keep the product focused and safer. 4. Input sanitization 🧼 User inputs were cleaned and constrained before going into prompts. You’d be surprised how much hallucination you can reduce just by being more deliberate about what context you inject. It's not just about designing good prompts and letting the LLM do the rest, (especially when the stakes are high) It’s about building systems that expect failure and recover gracefully. If you are curious to know more about what tool I built, it's called Applio.ai -- Image by Amazon (AWS Blogs) #AIEngineering #AI #GenAI #DataScience

Not an investor in Lakera, but a good example of why an open source approach might be best suited for LLM prompt security. Apart from the hygiene PII, PCIe or prompt injection checks, you also might need checks specific to your company and use case. Also the ability to run it in your own environment vs sending each prompt and response to an external SaaS service. https://lnkd.in/gsMk787y Here, a textual LLM prompt is directed through one or more prompt security chains before hitting the model. We have a security chain that makes Lakera Guard security API endpoint requests to our internally-hosted Docker container, which responds with confidence scores for prompt injection and jailbreak attacks. Dropbox services can then action on the returned Lakera Guard prompt security categories as appropriate for the application. Prompts that are deemed to be safe are then passed to the LLM—either a third-party model, like GPT-4, or an internally hosted open-source model, like LLaMA 3, depending on the use case—which produces a textual response. The LLM’s response is then passed through our content moderation chains, which analyze the text for potentially harmful topics. The moderation chain calls out to Lakera’s content moderation API endpoint to identify harassing or explicit content that the Dropbox feature or service can withhold from the user as configured.