AI Guardrails · Schema

Guardrail Policy

A vendor-neutral schema describing a guardrail policy applied to LLM inputs and/or outputs. Models a single named policy that bundles one or more rules, each scoped to direction (input, output, retrieval, dialog, execution), threat category, severity threshold, and action (allow, block, redact, transform, log).

AI SafetyAI SecurityContent ModerationGuardrailsJailbreak DetectionLLM SecurityPII DetectionPrompt InjectionResponsible AI

Properties

Name Type Description
id string Stable identifier for the policy (URN, UUID, or slug).
name string Human-readable policy name.
description string What this policy enforces and the application context it applies to.
version string Semantic version string for the policy revision.
vendor string Identifier of the guardrail provider enforcing the policy.
deployment string Where the policy is enforced in the request path.
scope object Which traffic this policy applies to.
rules array Ordered list of guardrail rules evaluated for matching traffic.
defaultAction string Action when no rule matches.
telemetry object Where to emit violation events.
created string
modified string
View JSON Schema on GitHub

JSON Schema

guardrail-policy-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/guardrails/main/json-schema/guardrail-policy-schema.json",
  "title": "Guardrail Policy",
  "description": "A vendor-neutral schema describing a guardrail policy applied to LLM inputs and/or outputs. Models a single named policy that bundles one or more rules, each scoped to direction (input, output, retrieval, dialog, execution), threat category, severity threshold, and action (allow, block, redact, transform, log).",
  "type": "object",
  "required": ["id", "name", "version", "rules"],
  "properties": {
    "id": {
      "type": "string",
      "description": "Stable identifier for the policy (URN, UUID, or slug).",
      "examples": ["urn:guardrail-policy:customer-support-v3", "policy-2026-05-22-001"]
    },
    "name": {
      "type": "string",
      "description": "Human-readable policy name."
    },
    "description": {
      "type": "string",
      "description": "What this policy enforces and the application context it applies to."
    },
    "version": {
      "type": "string",
      "description": "Semantic version string for the policy revision.",
      "pattern": "^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z.-]+)?$"
    },
    "vendor": {
      "type": "string",
      "description": "Identifier of the guardrail provider enforcing the policy.",
      "examples": [
        "guardrails-ai",
        "nvidia-nemo-guardrails",
        "lakera-ai",
        "azure-prompt-shields",
        "aws-bedrock-guardrails",
        "openai-moderation",
        "google-model-armor",
        "hiddenlayer",
        "cisco-ai-defense",
        "lasso-security",
        "promptarmor",
        "wallarm-ai-security",
        "confident-ai"
      ]
    },
    "deployment": {
      "type": "string",
      "enum": ["sdk", "api", "gateway", "sidecar", "reverse-proxy", "platform", "cloud-service"],
      "description": "Where the policy is enforced in the request path."
    },
    "scope": {
      "type": "object",
      "description": "Which traffic this policy applies to.",
      "properties": {
        "applications": {
          "type": "array",
          "items": {"type": "string"},
          "description": "Application identifiers this policy covers."
        },
        "models": {
          "type": "array",
          "items": {"type": "string"},
          "description": "Foundation model identifiers this policy covers."
        },
        "environments": {
          "type": "array",
          "items": {"type": "string", "enum": ["production", "staging", "development", "evaluation"]}
        }
      }
    },
    "rules": {
      "type": "array",
      "minItems": 1,
      "description": "Ordered list of guardrail rules evaluated for matching traffic.",
      "items": {"$ref": "#/$defs/rule"}
    },
    "defaultAction": {
      "type": "string",
      "enum": ["allow", "block", "redact", "transform", "log"],
      "description": "Action when no rule matches.",
      "default": "allow"
    },
    "telemetry": {
      "type": "object",
      "description": "Where to emit violation events.",
      "properties": {
        "sink": {"type": "string", "format": "uri"},
        "format": {"type": "string", "enum": ["json", "otlp", "cef", "syslog"]}
      }
    },
    "created": {"type": "string", "format": "date-time"},
    "modified": {"type": "string", "format": "date-time"}
  },
  "$defs": {
    "rule": {
      "type": "object",
      "required": ["id", "direction", "category", "action"],
      "properties": {
        "id": {"type": "string", "description": "Rule identifier unique within the policy."},
        "name": {"type": "string"},
        "description": {"type": "string"},
        "direction": {
          "type": "string",
          "enum": ["input", "output", "retrieval", "dialog", "execution"],
          "description": "Which leg of the LLM interaction this rule inspects. Mirrors NVIDIA NeMo Guardrails rail taxonomy."
        },
        "category": {
          "type": "string",
          "enum": [
            "prompt-injection",
            "jailbreak",
            "indirect-prompt-injection",
            "pii",
            "sensitive-information",
            "content-safety",
            "hate",
            "harassment",
            "self-harm",
            "sexual",
            "violence",
            "hallucination",
            "contextual-grounding",
            "denied-topic",
            "competitor-mention",
            "profanity",
            "toxic-language",
            "malicious-url",
            "data-exfiltration",
            "structured-output",
            "tool-misuse",
            "agent-goal-hijack",
            "policy-violation"
          ],
          "description": "Threat or policy category this rule targets."
        },
        "detector": {
          "type": "object",
          "description": "How the rule decides a match.",
          "properties": {
            "type": {
              "type": "string",
              "enum": ["regex", "classifier", "embedding", "llm-judge", "schema", "deny-list", "allow-list", "custom"]
            },
            "model": {"type": "string", "description": "Detector model identifier where applicable."},
            "pattern": {"type": "string", "description": "Regex or pattern source."},
            "threshold": {
              "type": "number",
              "minimum": 0,
              "maximum": 1,
              "description": "Score above which a match is fired (for classifier/embedding detectors)."
            },
            "schemaRef": {
              "type": "string",
              "format": "uri",
              "description": "Reference to a JSON Schema for structured-output validation."
            }
          }
        },
        "severity": {
          "type": "string",
          "enum": ["info", "low", "medium", "high", "critical"],
          "description": "Severity assigned when this rule fires."
        },
        "action": {
          "type": "string",
          "enum": ["allow", "block", "redact", "transform", "log", "human-review"],
          "description": "What to do when the rule fires."
        },
        "redactionPlaceholder": {
          "type": "string",
          "description": "Token used to replace detected content when action is redact.",
          "examples": ["[REDACTED]", "<PII>"]
        },
        "tags": {
          "type": "array",
          "items": {"type": "string"}
        }
      }
    }
  }
}