Skip to main content
Guardrails correct undesirable outputs at run-time, ensuring real-time safety and compliance. Failed messages trigger corrective actions such as default responses, retries, or blocking outputs entirely.

Guardrails Video Tutorial

Arize Guards

Guardrails can be applied to either user input messages (e.g. jailbreak attempts) or LLM output messages (e.g. answer relevance). If a message in a LLM chat fails a Guard, then the Guard will take a corrective action, either providing a default response to the user or prompting the LLM to generate a new response. We offer two types of Guards:
  • Dataset Embeddings Guard: Provided few shot examples of “bad” messages, Guard against similar inputs based on the cosine distance between embeddings.
  • RAG LLM Guard: Similar to the General LLM Guard, but designed for the special case where the prompt includes additional context from a RAG application.
Users have the option to instantiate the Guards with off-the-shelf prompts / datasets from Arize, or customize the Guard with their own prompts / datasets. While our demo notebooks use Open AI models, any model provider can be used with a Guard.

Dataset Embeddings Guard

Dataset Embeddings Guard Colab Tutorial

 Arize offers an off-the-shelf ArizeDatasetEmbeddings Guard. Given any dataset of “bad” examples, this Guard will protect against similar messages in the LLM chat. This Guard works in the following way:
  • The Guard computes embeddings for chunks associated with a set of few shot examples of “bad” user prompts or LLM messages (we recommend using 10 different prompts to balance performance and latency).
  • When the Guard is applied to a user or LLM message, the Guard computes the embedding for the input message and checks if any of the few shot “train” chunks in the dataset are close to the message in embedded space.
  • If the cosine distance between the input message and any of the chunks is within the user-specified threshold (default setting is 0.2), then the Guard intercepts the LLM call.
Refer to the repo and Colab notebook for details, which can be loaded into Colab.

Benchmarking the Dataset Embeddings Guard on Jailbreak Prompts

By default, the ArizeDatasetEmbeddings Guard will use few shot examples from a public dataset of jailbreak prompts. We benchmarked the performance of our model on this dataset and recorded the following results:
  • True Positives: 86.43% of 656 jailbreak prompts failed the DatasetEmbeddings guard.
  • False Negatives: 13.57% of 656 jailbreak prompts passed the DatasetEmbeddings guard.
  • False Positives: 13.95% of 2000 regular prompts failed the DatasetEmbeddings guard.
  • True Negatives: 86.05% of 2000 regular prompts passed the DatasetEmbeddings guard.
  • 1.41 median latency for end-to-end LLM call on GPT-3.5.
Note that the “regular prompts” in the dataset consist of role play prompts that are designed to resemble jailbreak prompts. By comparison, the arxiv paper associated with the dataset explains that jailbreak prompts have a 68.5% attack success rate (ASR) on the GPT-4 model. Refer to validator/benchmark_guard_on_dataset.py for implementation details.

RAG LLM Guard

RAG LLM Guard Colab Tutorial

 We offer Context Relevancy, QA Correctness and Hallucination RAG LLM Judges as off-the-shelf Arize Guards. After instantiating the Guard, simply pass in the user_message, retrieved context and llm_response to the LlmRagEvaluator(Validator) at runtime and it will Guard against problematic messages. Each off-the-shelf Guard has been benchmarked on a public dataset (see code). You can also customize this Guard with your own RAG LLM Judge prompt by inheriting from ArizeRagEvalPromptBase(ABC) class. Refer to the README and Colab Tutorial for additional details.

Corrective Actions

We recommend two different types of corrective actions when input does not pass the Guard, which can be passed into the Guard upon instantiation:
  • default response: Instantiate the Guard with on_fail="fix" if you want the Guard to use a user-defined hard-coded default LLM response.
  • LLM reask: Instantiate the Guard with on_fail="reask" to re-prompt the LLM when the Guard fails. Note that this can introduce additional latency in your application.
Additional details in a tutorial (coming soon).

View Traces in Arize AX UI

Refer to the Colab notebook for an example on how to integrate OTEL tracing with your Guard. In addition to real-time intervention, Arize offers tracing and visualization tools to investigate chats where the Guard was triggered. Below we see the following information in the Arize AX UI for a Jailbreak attempt flagged by the DatasetEmbeddings Guard:
  • Each LLM call and guard step that took place under the hood.
  • The error message from the Guard when it flagged the Jailbreak attempt.
  • The validator_result: "fail"
  • The validator_on_fail: "exception"
  • The cosine_distance: 0.15, which is the cosine distance of the closest embedded prompt chunk in the set of few shot examples of jailbreak prompts.
  • The text corresponding to the most_similar_chunk.
  • The text corresponding to the input_message.
View GUARDRAIL span where a jailbreak attempt was flagged by the ArizeDatasetEmbeddings Guard.
View attributes to debug why the Guard was triggered, e.g. the cosine distance between the most similar chunk and the embedded user message.

Monitoring

Users have the option to connect their guards to Arize Production Monitoring. In the example below, we see a user create a monitor that sends an alert every time the Guard fails. These alerts can be connected to slack, PagerDuty, email, etc.
Add custom metric guard_fail to count the number of times that the Guard fails.
Set up Monitor to track custom guard_fail metric.

Resources

For additional support getting started with Guards, please refer to the following resources: