NeMo Guardrails: The Production Guardrail Framework

SDD-B08 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · The programmable guardrail layer behind NemoClaw (Course 1 DD-09).

Five rail types enforce policy between user and model. Strengths: programmable, multi-rail, production-deployed, externally evaluated. The catch: the rails are themselves evaluated by models — so they are injectable. The guardrail is a model, and models are injectable.

Deep-Dive · SDD-B08

The five rail types: conversation lifecycle

RailStage governedWhat it catches
InputUser message before the modelToxicity, jailbreak patterns, PII, off-topic — 1st line vs injection
DialogConversation flowOn-topic check, canonical-form match, "this agent only discusses X"
RetrievalRAG chunks before the modelIndirect-injection filtering (SDD-B03); quarantine untrusted content
ExecutionTool calls + arguments + resultDisallowed tool invocation / argument manipulation (SDD-B04)
OutputResponse before the userLeaked data, harmful content, hallucinations — catches a model that complied

External evaluation: governance beneath the agent

The load-bearing architectural property. The guardrail layer is a SEPARATE PROCESS the agent calls through. The agent does not host, run, or reach the rails.
Course 1 Module 0.2 principle: if the agent can reach the enforcement layer, a compromised agent can disable it. NeMo realizes the fix — enforcement sits outside the agent's reach.
NemoClaw (Course 1 DD-09) is the production reference: +4 score over its parent, almost entirely from external guardrails evaluating every model call. "Governance done right."

B08.1 — What NeMo is

Five rails, Colang, external evaluation

Programmable policy: code, not a fixed filter

Fixed filter (provider-side safety classifier): black box, stops what the designer anticipated, cannot express deployment-specific constraints.
Programmable rail (NeMo): Colang + Python, policy is code, version-controlled, reviewable. Stops what the DEPLOYER specifies — deployment-specific compliance and brand policies.
The trade-off: programmable policy is only as good as the POLICY AUTHOR. A missing rail = a missing control. The framework does not infer the policy the deployer should have written. Audit the rail configuration (B11).

B08.2 — Strengths & governance architecture

Programmable, multi-rail, production-deployed

Three strengths

StrengthWhat it means
ProgrammablePolicy is code (Colang/Python), auditable, deployment-specific. Not a black box.
Multi-railDefense-in-depth across the conversation lifecycle. Input + output + retrieval + execution + dialog — each a layer.
Production-deployedNVIDIA maintains and ships it. NemoClaw (DD-09) uses it at production scale. Not a demo.
What external enforcement buys: the guardrails run EVEN WHEN THE AGENT IS COMPROMISED. A prompt injection that takes over the model cannot disable the input rails — they are not the model's code.

B08.3 — The attack surface

The guardrail is a model, and models are injectable

The load-bearing vulnerability

The rails are evaluated by MODELS — embedding models, LLM-based classifiers. External enforcement protects against DISABLE. It does NOT protect against EVADE.
Threat: DISABLE — a compromised agent reaches the rail and turns it off. STOPPED by external enforcement (the agent cannot reach the rail process).
Threat: EVADE — an adversarial input crafted against the RAIL'S OWN CLASSIFIER. The rail runs, classifies it as benign. NOT STOPPED.
Same structural property as SDD-B06: a pattern-calibrated classifier has a novel-pattern bypass. The context-specific attack technique, applied to the rail's classifier, evades it.

Bypass vectors per rail type

RailBypass vector
InputAdversarial-input evasion — craft against the classifier's known patterns (SDD-B06 technique on the rail's model)
OutputClassifier-targeting injection — response contains a prompt injection targeting the output rail's own classifier model
DialogCanonical-form confusion — a disallowed intent matching an allowed canonical form (indirection, SDD-B03)
RetrievalIndirect-injection passthrough — untrusted retrieved chunk not quarantined (SDD-B03)
ExecutionTool-argument manipulation — allowed tool, disallowed arguments (SDD-B04)
Each is a measurable residual. Measure the bypass RATE over N attempts (SDD-B03/SDD-B06), per rail AND end-to-end. No rate, no finding.

Defense-in-depth: every layer has a residual

LayerThe residual
Model refusal (SDD-B06)Falls in 5 queries (context-specific attack)
NeMo guardrails (this DD)Classifier-evasion bypass — the guardrail is a model
Harness governance (SDD-B04)Judge is injectable
Deterministic boundary (SDD-B05)Compilation residuals — but load-bearing
The prescription: NeMo composed with the layered architecture HOLDS. NeMo alone has the residuals this deep-dive measures. The deterministic boundary (IronCurtain) is the limit the probabilistic rails cannot provide.

Lab & what's next

Lab (07): build a simulated NeMo-style guardrail layer (five rail types with model-evaluated classifiers), craft adversarial inputs targeting each rail's classifier surface, measure the per-rail and end-to-end bypass rates over N attempts, and demonstrate the defense-in-depth composition. Python 3.10+, no GPU.

Next — SDD-B09: Prompt Injection Detection Models. The dedicated detection layer — classifiers trained to detect injection, distinct from the guardrail classifiers they complement.