# LLM Guardrails in Practice: What Actually Works > Source: > Published: 2026-06-15 00:00:00+00:00 # LLM Guardrails in Practice: What Actually Works Control the risk, not just the model. LLMs are unpredictable. They hallucinate, leak data, generate harmful content, or refuse legitimate requests. Guardrails constrain model behavior without sacrificing capability. The key is knowing which guardrails matter and which are just noise. Guardrails aren’t about controlling the model. They’re about controlling the risk. ## Input validation The most important guardrail. Bad input gets bad output, and bad input can also prompt-inject your system. ### Strategy 1: Prompt Sanitization Sanitize dangerous patterns early: ``` python import re class PromptSanitizer: def __init__(self): self.dangerous_patterns = [ r"ignore\s+previous\s+instructions", r"system\s+prompt", r"you\s+are\s+now\s+free", r"break\s+out\s+of", ] def sanitize(self, prompt: str) -> str: for pattern in self.dangerous_patterns: prompt = re.sub(pattern, "[REDACTED]", prompt, flags=re.IGNORECASE) return prompt ``` This isn’t bulletproof. Adversarial inputs are creative. But it catches the obvious ones, and the obvious ones are the most common. ### Strategy 2: Input Length Limits Length limits prevent token waste and timeouts: ``` python class InputValidator: def __init__(self, max_length: int = 10000): self.max_length = max_length def validate(self, prompt: str) -> tuple[bool, str]: if len(prompt) > self.max_length: return False, f"Input too long: {len(prompt)} > {self.max_length}" return True, "OK" ``` ### Strategy 3: Content Filtering Content filtering blocks policy violations. The patterns here depend on your domain: ``` python class ContentFilter: def __init__(self): self.blocked_topics = [ "violence", "hate speech", "self-harm", "sexual content", "illegal activities", ] def filter(self, prompt: str) -> tuple[bool, str]: prompt_lower = prompt.lower() for topic in self.blocked_topics: if topic in prompt_lower: return False, f"Blocked: {topic}" return True, "OK" ``` Simple string matching is fast but imprecise. For production, use a classifier model — even a small one like Qwen2.5-1.5B — to detect policy violations. It’s more accurate and harder to evade. ## Output filtering The model’s output needs checking too. Structure, content, and facts. ### Strategy 1: Response Validation Validate structure first. If you expect JSON, check for JSON: ``` python class ResponseValidator: def __init__(self): self.required_fields = ["answer", "confidence"] def validate(self, response: dict) -> tuple[bool, str]: for field in self.required_fields: if field not in response: return False, f"Missing field: {field}" return True, "OK" ``` ### Strategy 2: Content Filtering Filter harmful content: ``` python class OutputFilter: def __init__(self): self.blocked_patterns = [ r"kill\s+someone", r"bomb\s+recipe", r"hate\s+speech", r"self-harm", ] def filter(self, response: str) -> tuple[bool, str]: for pattern in self.blocked_patterns: if re.search(pattern, response, re.IGNORECASE): return False, f"Blocked: {pattern}" return True, "OK" ``` ### Strategy 3: Fact-Checking Fact-checking is harder. You can’t validate every claim, so pick the ones that matter: ``` python class FactChecker: def __init__(self): self.known_facts = { "capital of france": "Paris", "population of usa": "330 million", "speed of light": "299,792,458 m/s", } def check(self, claim: str) -> tuple[bool, str]: claim_lower = claim.lower() for fact, truth in self.known_facts.items(): if fact in claim_lower and truth not in claim_lower: return False, f"Fact check failed: {fact}" return True, "OK" ``` For real fact-checking, you need a retrieval pipeline. Check claims against a knowledge base, not a hardcoded dictionary. ## Safety mechanisms ### Strategy 1: Rate Limiting Rate limiting prevents abuse: ``` python import time from collections import deque class RateLimiter: def __init__(self, max_requests: int = 10, window: int = 60): self.max_requests = max_requests self.window = window self.requests = deque() def allow(self) -> bool: now = time.time() while self.requests and self.requests[0] < now - self.window: self.requests.popleft() if len(self.requests) >= self.max_requests: return False self.requests.append(now) return True ``` ### Strategy 2: Token Budgeting Token budgeting caps per-request costs: ``` python class TokenBudget: def __init__(self, max_tokens: int = 1000): self.max_tokens = max_tokens def validate(self, response: str) -> tuple[bool, str]: token_count = len(response.split()) if token_count > self.max_tokens: return False, f"Token limit exceeded: {token_count} > {self.max_tokens}" return True, "OK" ``` ### Strategy 3: Context Window Management Context window management prevents overflow: ``` python class ContextManager: def __init__(self, max_context: int = 4096): self.max_context = max_context self.context = [] def add(self, message: str): self.context.append(message) self.trim() def trim(self): while len(" ".join(self.context)) > self.max_context: self.context.pop(0) ``` Sliding window trimming is simple but loses early context. Better approaches use summarization or attention-based compression, but those add latency. ## Compliance Enterprise systems need compliance guardrails. Two that matter most: ### Pattern 1: Data Residency **Data residency** — ensure data stays within required geographic boundaries: ``` python class DataResidency: def __init__(self, allowed_regions: list[str]): self.allowed_regions = allowed_regions def validate(self, region: str) -> tuple[bool, str]: if region not in self.allowed_regions: return False, f"Region not allowed: {region}" return True, "OK" ``` ### Pattern 2: Audit Logging **Audit logging** — log all model interactions: ``` python import json from datetime import datetime class AuditLogger: def __init__(self, log_file: str = "audit.log"): self.log_file = log_file def log(self, request: dict, response: dict): entry = { "timestamp": datetime.now().isoformat(), "request": request, "response": response, } with open(self.log_file, "a") as f: f.write(json.dumps(entry) + "\n") ``` Audit logs are critical for debugging and compliance. Make them structured, append-only, and stored securely. ## Putting it together ### Pattern 1: Simple Guardrails A simple guardrail pipeline: ``` python class SimpleGuardrails: def __init__(self): self.input_validator = InputValidator(max_length=10000) self.output_filter = OutputFilter() def process(self, prompt: str) -> str: valid, message = self.input_validator.validate(prompt) if not valid: return f"Error: {message}" response = self.call_model(prompt) valid, message = self.output_filter.filter(response) if not valid: return f"Error: {message}" return response ``` ### Pattern 2: Advanced Guardrails Advanced guardrails add sanitization, rate limiting, and token budgets: ``` python class AdvancedGuardrails: def __init__(self): self.sanitizer = PromptSanitizer() self.input_validator = InputValidator(max_length=10000) self.content_filter = ContentFilter() self.output_filter = OutputFilter() self.rate_limiter = RateLimiter(max_requests=10) self.token_budget = TokenBudget(max_tokens=1000) def process(self, prompt: str) -> str: prompt = self.sanitizer.sanitize(prompt) valid, message = self.input_validator.validate(prompt) if not valid: return f"Error: {message}" valid, message = self.content_filter.filter(prompt) if not valid: return f"Error: {message}" if not self.rate_limiter.allow(): return "Error: Rate limit exceeded" response = self.call_model(prompt) valid, message = self.output_filter.filter(response) if not valid: return f"Error: {message}" valid, message = self.token_budget.validate(response) if not valid: return f"Error: {message}" return response ``` ## When guardrails matter Guardrails matter when you’re building user-facing systems, handling sensitive data, or running in production. They also matter when you have compliance requirements — GDPR, HIPAA, SOC 2. They don’t matter when you’re prototyping, using models for internal tools only, or not handling sensitive data. Skip them until you need them. The tradeoff is always capability versus safety. More guardrails mean fewer failures but also fewer capabilities. Find the balance that works for your system. ## Tradeoffs | Strategy | Safety | Capability | Latency | |---|---|---|---| | No guardrails | Lowest | Highest | Lowest | | Input validation | High | Medium | Low | | Output filtering | High | Medium | Low | | Safety mechanisms | Highest | Lowest | Highest | | Compliance | Highest | Lowest | Highest | ## Related [Model Routing Strategies](https://www.glukhov.org/llm-architecture/model-routing/model-routing-strategies/)— capability-based, cost-aware, latency-aware routing[Cost Optimization for LLM Systems](https://www.glukhov.org/llm-architecture/cost-optimization/cost-optimization-for-llm-systems/)— token budgeting, fallback models, caching[Multi-Model System Design](https://www.glukhov.org/llm-architecture/model-routing/multi-model-system-design/)— architecture for multiple models[LLM Architecture](https://www.glukhov.org/llm-architecture/)— system design pillar: routing, cost, guardrails, and orchestration