{
  "module": "SDD-B08 — NeMo Guardrails: The Production Guardrail Framework",
  "course": "2B — Securing & Attacking Harnesses and LLMs",
  "version": "1.0.0",
  "duration_minutes": 30,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What are the five NeMo Guardrails rail types, and what stage of the conversation does each govern?",
      "options": [
        "Auth, logging, caching, routing, and monitoring rails.",
        "INPUT (user message before the model), OUTPUT (response before the user), DIALOG (conversation flow / canonical-form matching), RETRIEVAL (RAG chunks before the model — governs indirect injection), EXECUTION (tool calls + arguments + results — governs the function-call surface). Together they cover the full conversation lifecycle.",
        "Frontend, backend, database, API, and network rails.",
        "Training, fine-tuning, evaluation, deployment, and monitoring rails."
      ],
      "answer_index": 1,
      "rationale": "The five rails cover what comes in (input), what goes out (output), how the conversation flows (dialog), what is retrieved (retrieval — the indirect-injection surface per SDD-B03), and what is executed (execution — the function-call surface per SDD-B04). A well-configured deployment uses multiple rails in sequence — defense-in-depth (B2) realized at the guardrail layer."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the load-bearing architectural property of NeMo Guardrails, and what principle does it realize?",
      "options": [
        "The rails run inside the agent process for low latency.",
        "EXTERNAL EVALUATION: the guardrail layer is a SEPARATE PROCESS the agent calls through. The agent does not host, run, or reach the rails — it cannot disable or modify them. This realizes the Course 1 Module 0.2 principle: if the agent can reach the enforcement layer, a compromised agent can disable it. A compromised model (prompt injection, jailbreak) cannot turn off its own guardrails. This is why NemoClaw (DD-09) scored +4.",
        "The rails are compiled into the model weights at training time.",
        "The rails are managed by the model provider and cannot be configured by the deployer."
      ],
      "answer_index": 1,
      "rationale": "External evaluation is what makes NeMo the governance reference. By placing the rails outside the agent's process boundary, a compromised agent cannot reach them to disable them. NemoClaw's entire contribution over OpenClaw was this external governance layer. The agent can be fully compromised and the guardrails still run, because the guardrails are not the agent's code to control."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "State the load-bearing vulnerability of NeMo Guardrails.",
      "options": [
        "The rails cannot be configured for deployment-specific policies.",
        "THE GUARDRAIL IS A MODEL, AND MODELS ARE INJECTABLE. The rails are evaluated by models (embedding models, LLM-based classifiers, model-based canonical-form matching). These models are themselves subject to prompt injection, adversarial inputs, and the full range of model-level attacks (SDD-B06). External enforcement protects the rails from being DISABLED; it does NOT protect the rail's classifier from being EVADED by an input crafted against the classifier's model surface.",
        "The rails add too much latency to be usable in production.",
        "The rails only work with NVIDIA models, not other providers."
      ],
      "answer_index": 1,
      "rationale": "The rails run externally (protecting against DISABLE), but the classifiers ARE models — so they have false-negative surfaces and blind spots. An adversarial input crafted against the rail's classifier model passes through; the rail ran but classified the input as benign. This is the same novel-pattern bypass as SDD-B06, applied to the rail's classifier rather than the underlying model."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "A NeMo-guardrailed system has input rails and output rails configured, but no retrieval rails. What attack surface is left unguarded, and what is the consequence?",
      "options": [
        "No surface is left unguarded — input and output rails are sufficient.",
        "The INDIRECT-INJECTION surface (SDD-B03). Without retrieval rails, untrusted retrieved RAG chunks pass to the model unfiltered/quarantined. An attacker who poisons the retrieval store with injection payloads has a clear path to the model. Retrieval rails are the layer that governs indirect injection; omitting them leaves the indirect channel open even if the direct (input/output) channel is guarded.",
        "The function-call surface — execution rails are missing.",
        "The conversation-flow surface — dialog rails are missing."
      ],
      "answer_index": 1,
      "rationale": "All five rail types cover the conversation lifecycle. Indirect injection arrives via retrieved content; retrieval rails are the layer that filters/quarantines untrusted chunks before they feed the model. Input + output rails alone cover only the direct channel. Similarly, omitting execution rails leaves the tool-argument manipulation surface open (SDD-B04), and omitting dialog rails leaves the canonical-form-confusion surface open. Each rail governs a distinct stage."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "An attacker crafts an input that the input rail's toxicity classifier does not flag, but that causes the underlying model to comply with a disallowed request. What type of bypass is this, and why does external enforcement not stop it?",
      "options": [
        "A DISABLE bypass — the attacker turned off the rail.",
        "An EVADE bypass (adversarial-input evasion). The input was crafted against the rail's CLASSIFIER model surface — the context-specific technique from SDD-B06 applied to the rail's classifier. External enforcement protects the rail from being DISABLED (the agent cannot reach the rail process); it does NOT protect the classifier from being EVADED. The rail ran; it classified the adversarial input as benign because its classifier has blind spots.",
        "A network bypass — the attacker bypassed the guardrail process entirely.",
        "A configuration bypass — the rail was not configured correctly."
      ],
      "answer_index": 1,
      "rationale": "External enforcement protects against DISABLE (the agent cannot reach the rail process to turn it off). It does NOT protect against EVADE (the classifier is a model with false-negative surfaces). The input rail's classifier was trained on known patterns; an adversarial input crafted to avoid those patterns evades it — the same novel-pattern bypass as SDD-B06, applied to the rail's classifier rather than the underlying model."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are red-teaming a NeMo-guardrailed system. How do you correctly measure the rail residuals, and what is the single most important metric?",
      "options": [
        "Run one attack; if it succeeds, report 'the guardrail is broken.'",
        "Measure per-rail bypass rates over N attempts under fixed parameters (rail config, model version, temperature), per SDD-B03/SDD-B06 methodology — input-rail rate, output-rail rate, etc. The single most important metric is the END-TO-END composition rate: the fraction of attacks that produce a disallowed output having passed EVERY rail in the chain. The real attack passes the whole chain, not one rail in isolation. No rate, no finding.",
        "Measure only the input-rail rate, since it is the first defense.",
        "Measure the latency the rails add and report that as the residual."
      ],
      "answer_index": 1,
      "rationale": "A single bypass is an anecdote. The honest measurement is a rate over N attempts under fixed parameters. The end-to-end rate matters most because the real attack passes the whole chain. Per-rail rates are useful diagnostics but the composition is what determines whether a disallowed output reaches the user. The rails are not independent when they share a model surface, so the composition must be tested directly."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "A client deployed NeMo Guardrails and says 'our agent is fully defended against prompt injection.' Using the SDD-B04–SDD-B08 progression, construct the refutation and the correct prescription.",
      "options": [
        "Agree — NeMo is the strongest guardrail framework available.",
        "NeMo is a LAYER, not a BOUNDARY. Every defense layer has a residual: SDD-B04 (judge injectable), SDD-B05 (deterministic has compilation residuals), SDD-B06 (refusal falls in 5 queries), SDD-B08 (rails have classifier-evasion residuals — the guardrail is a model). Prescription: layered defense where each layer's bypass is bounded by the others. NeMo composed with the deterministic boundary (IronCurtain, SDD-B05) and harness controls (B4) HOLDS; NeMo alone has measurable residuals.",
        "Recommend removing NeMo and using a different guardrail framework.",
        "Recommend disabling the guardrails for performance and relying on the model's refusal training."
      ],
      "answer_index": 1,
      "rationale": "No single layer suffices (B2's thesis). NeMo's input rails raise the bar and provide signal; output rails catch what input misses; retrieval/execution rails govern the indirect-injection and tool surfaces. But the deterministic boundary (IronCurtain) is the LIMIT the probabilistic rails cannot provide. A NeMo deployment alone has the residuals this deep-dive measures; composed with the layered architecture, each residual is bounded by the others."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "What is the output-rail bypass vector, and how does it differ from the input-rail vector?",
      "options": [
        "The output rail cannot be bypassed because it runs after the model.",
        "CLASSIFIER-TARGETING INJECTION. The output rail checks the model's response using an LLM-based classifier. If the response contains a PROMPT INJECTION targeting the output rail's classifier model itself (embedded instructions causing the classifier to categorize the response as benign), the rail is fooled. This differs from the input-rail vector (adversarial-input evasion against the input classifier) — here the attack is in the RESPONSE the output rail is evaluating, targeting the rail's own classifier model.",
        "The output-rail vector is the same as the input-rail vector.",
        "The output rail is bypassed by disabling the guardrail process."
      ],
      "answer_index": 1,
      "rationale": "The output rail's classifier is itself a model evaluating text. If the text (the model's response) contains a prompt injection targeting that classifier, the classifier can be manipulated into categorizing a disallowed response as benign. The input-rail vector crafts an input against the input classifier; the output-rail vector crafts a response (via a crafted input to the underlying model) that targets the output classifier. Both exploit the 'guardrail is a model' property."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "What is Colang, and what is the trade-off of programmable guardrail policy?",
      "options": [
        "Colang is a compiled language that makes guardrails faster.",
        "Colang is NeMo's DSL for conversational flow and rail definition (with Python for actions). Programmable policy means the rail is CODE — version-controlled, reviewable, can express deployment-specific constraints a fixed filter cannot. TRADE-OFF: programmable policy is only as good as the POLICY AUTHOR. A MISSING RAIL = a MISSING CONTROL, and the framework does not infer the policy the deployer should have written. Audit the rail configuration (B11).",
        "Colang is a model training framework that improves classifier accuracy.",
        "Colang is a fixed set of guardrail templates that cannot be customized."
      ],
      "answer_index": 1,
      "rationale": "Programmability distinguishes NeMo from a fixed provider-side safety classifier (a black box). The policy is legible to security/compliance processes (B11). But the framework does not fill gaps automatically — a rail set that omits the deployment-specific constraints is a rail set with gaps. The deployer must author and audit the complete policy; a missing rail is a missing control."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A NeMo system has a 5% input-rail bypass rate and a 5% output-rail bypass rate. A colleague calculates the end-to-end rate as 0.25% (5% × 5%) under independence. Why is this calculation likely wrong, and what should the red-team do instead?",
      "options": [
        "The calculation is correct — independence is a safe assumption.",
        "The rails are NOT independent when they SHARE an underlying model surface. An adversarial technique that evades the input rail's classifier may ALSO evade the output rail's classifier if both use the same model class (e.g., both LLM-based). The composition is WEAKER than the independence calculation suggests. The red-team must test the composition DIRECTLY — measure the actual end-to-end rate by running attacks through the full chain, because the real attack passes every rail, not one in isolation.",
        "The calculation is wrong because the rates should be added, not multiplied.",
        "The calculation is wrong because the rates should be averaged."
      ],
      "answer_index": 1,
      "rationale": "Independence is the optimistic assumption. When rails share a model surface (same embedding model, same LLM class), a technique that evades one may evade the other — the bypasses are correlated, not independent. The product calculation understates the real risk. The only honest measurement is to run attacks through the full chain and count the end-to-end successes. This is why per-rail rates alone are insufficient diagnostics."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "How does NeMo Guardrails fit into the SDD-B04 through SDD-B08 defense-layer progression, and what is the synthesis?",
      "options": [
        "NeMo replaces all prior defense layers with a single guardrail framework.",
        "Every defense layer has a residual: SDD-B04 CrabTrap's judge is INJECTABLE; SDD-B05 IronCurtain's deterministic policy has COMPILATION RESIDUALS; SDD-B06 the refusal layer falls in 5 QUERIES; SDD-B08 NeMo's guardrails have CLASSIFIER-EVASION RESIDUALS (the guardrail is a model). Synthesis (B2's thesis): no single layer suffices. Prescription: layered defense where each layer's bypass is bounded by the others. NeMo is the strongest production realization of governance-beneath-the-agent, and it is a layer with a residual.",
        "NeMo is the only layer that has no residual, making it sufficient alone.",
        "NeMo should be used instead of the model's refusal training."
      ],
      "answer_index": 1,
      "rationale": "The progression establishes that every probabilistic defense layer — refusal training, guardrails, harness judges — has a bypass. The deterministic boundary (IronCurtain) is the limit they cannot provide. NeMo's contribution is the programmable, multi-rail, externally-evaluated governance layer. Composed with the layered architecture, each residual is bounded by the others. This is the architecture that holds; NeMo alone does not."
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Describe the dialog-rail bypass vector (canonical-form confusion) and explain how it relates to the indirect-injection technique from SDD-B03.",
      "options": [
        "Dialog rails cannot be bypassed because they use deterministic matching.",
        "CANONICAL-FORM CONFUSION: the dialog rail matches the user's request to a canonical form to determine if it is on-topic. An adversarial request engineered to MATCH an allowed canonical form while carrying a DISALLOWED intent passes the dialog rail. This is the same INDIRECTION technique as indirect injection (SDD-B03): the attack is semantically disallowed but superficially on-topic. The model cannot reliably distinguish 'a legitimate on-topic request' from 'a disallowed intent disguised as on-topic' because both arrive as text matching the canonical form.",
        "The dialog-rail vector requires disabling the guardrail process.",
        "The dialog rail is bypassed by sending empty messages."
      ],
      "answer_index": 1,
      "rationale": "The dialog rail's canonical-form matcher is a model-based classifier. An adversarial request crafted to match an allowed form while carrying a disallowed intent exploits the same text-channel ambiguity as indirect injection. The red-team probes the matcher with requests that are semantically disallowed but superficially on-topic. This is the indirection principle: the attack hides inside a form the rail is configured to allow."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Design a red-team methodology for measuring a NeMo-guardrailed system's residuals. What do you measure, and what do you report?",
      "options": [
        "Measure only whether the rails can be disabled; report pass/fail.",
        "Measure PER-RAIL rates (input, output, retrieval, execution) AND the END-TO-END composition rate over N attempts under fixed params (rail config, model version, temperature). Test the composition directly (rails sharing a model class are not independent — correlated bypasses). Identify the attack classes that evaded shared model surfaces. Report: per-rail rates, end-to-end rate, the correlated-bypass findings, and the recommendation to compose NeMo with the deterministic boundary (SDD-B05) to bound the residuals. Every measurement is a rate with full parameter recording.",
        "Measure the latency the rails add; report it as the residual.",
        "Measure only the input rail; assume the others are equivalent."
      ],
      "answer_index": 1,
      "rationale": "The methodology follows SDD-B03/SDD-B06: rates over N attempts under fixed parameters. Per-rail rates are diagnostics; the end-to-end rate is the finding that matters (the real attack passes the whole chain). The correlated-bypass test is critical because shared model surfaces break the independence assumption. The recommendation connects to the layered architecture: NeMo composed with the deterministic boundary bounds the residuals."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does the 'guardrail is a model' vulnerability mean that external enforcement is necessary but not sufficient? Construct the argument.",
      "options": [
        "External enforcement is unnecessary because the rails are models.",
        "External enforcement is NECESSARY: it protects the rails from being DISABLED by a compromised agent (the agent cannot reach the rail process — Course 1 Module 0.2). Without it, a prompt-injected model could turn off its own guardrails. But it is NOT SUFFICIENT: it does not protect the rail's CLASSIFIER from being EVADED. The classifier is a model with false-negative surfaces; an adversarial input crafted against it passes through (the rail ran but classified it as benign). Necessary (stops DISABLE) but not sufficient (does not stop EVADE) — the guardrail is a layer with a residual, requiring the layered architecture to bound it.",
        "External enforcement is sufficient because it makes the rails invulnerable.",
        "External enforcement is necessary only for performance reasons."
      ],
      "answer_index": 1,
      "rationale": "The argument has two parts. Necessity: without external enforcement, a compromised agent disables the rails (the Module 0.2 principle). Insufficiency: external enforcement does not address the classifier's own model surface — the EVADE threat. This is why NeMo is a layer, not a boundary: it solves the DISABLE problem but not the EVADE problem, and the EVADE residual requires the other layers (deterministic boundary, harness controls) to bound it."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A NeMo deployment uses an embedding model for the input rail's toxicity check and the SAME embedding model for the retrieval rail's content filter. Why does this shared dependency weaken the composition, and what is the implication for the red-team?",
      "options": [
        "Shared dependencies improve performance with no security impact.",
        "The shared embedding model means a bypass technique that evades the input rail's toxicity classifier may ALSO evade the retrieval rail's content filter — the bypasses are CORRELATED, not independent. The composition's end-to-end rate is HIGHER than the independence-product calculation would suggest. Implication for the red-team: test the composition directly with techniques targeting the shared model surface; do not rely on the per-rail product calculation. Identify shared model dependencies across rails as a structural weakness, and recommend diversifying the classifier models (different model classes per rail) to restore independence.",
        "The shared dependency means only the input rail needs testing.",
        "The shared dependency makes the rails redundant, so one can be removed."
      ],
      "answer_index": 1,
      "rationale": "Independence is the assumption that makes the product calculation valid. When rails share a model surface (same embedding model, same LLM class), bypasses are correlated — a technique effective against the shared model evades multiple rails at once. The red-team must test the composition directly and identify shared dependencies as structural weaknesses. The defensive recommendation is model diversification: different classifier classes per rail to restore independence and make the composition's product calculation valid."
    }
  ]
}
