RAG Safety & Guardrails

Keeping AI on a Leash: A Practical Guide to Guardrails for RAG and Agents

A layered, production-ready approach for safe, accurate, and responsible Retrieval-Augmented Generation and agent systems.

By CRIA • Wed Jan 22 2025

Retrieval-Augmented Generation (RAG) systems and AI agents are transforming how we access information and automate work. By connecting large language models (LLMs) to your company's data, they can answer complex questions, summarize documents, and act on your behalf.

But what happens when a RAG system retrieves a document with sensitive financial data and shows it to the wrong person? Or when an agent, trying to be helpful, acts on a misunderstood command?

At our company, we build reliable AI systems by implementing guardrails. Think of them as the essential safety checks and balances for your AI. They aren't there to limit the AI's power, but to guide it—ensuring it operates safely, accurately, and responsibly. This is our practical, no-fluff guide to how we implement them, especially for RAG.

Why Guardrails are Crucial for RAG

RAG is fantastic for reducing hallucinations and grounding AI answers in factual documents. But the knowledge base itself introduces new risks. Your documents—not the LLM—become the primary source of potential problems.

Here are the RAG-specific challenges we focus on:

  • Sensitive Data Leakage: Internal documents can include PII, confidential project details, and financial records. A RAG system without guardrails can leak data.
  • Access Control: Presence ≠ permission. The RAG system must enforce the same permission hierarchies as the source systems.
  • Inaccurate or Outdated Information: If sources are wrong or stale, the answer will be too.
  • Toxicity and Bias: Biases and toxic language in documents can surface in generated outputs.

Production takeaway: Guardrails turn a powerful prototype into a trustworthy system.

Our Layered Approach to RAG Safety

A robust safety strategy requires multiple layers of defense. We build checks before the query is run, after the data is retrieved, and before the final answer is shown.

Layer Goal Typical Checks Failure Mode Prevented
Input Guardrails Validate and sanitize the user request Topic relevance; PII redaction; abuse/threat filters Off-scope queries; logging sensitive input
Retrieval Guardrails Control which documents reach the LLM Access control enforcement; policy filters; freshness checks Unauthorized disclosure; outdated sources
Output Guardrails Review the model's final answer Toxicity filter; grounding/citation check; jailbreak detection Hallucinations; policy violations; prompt injection

1) Input Guardrails (The Front Door)

  • Topic Relevance Check: Keep the assistant on-topic. A support bot shouldn't answer medical advice or politics.
  • PII Redaction: Strip names, emails, and account numbers before processing or logging.

2) Retrieval Guardrails (The Document Checkpoint)

This is the most critical layer for RAG. After relevant documents are found—but before generation—we enforce:

  • Access Control Enforcement: Check the user's permissions against every retrieved document. Unauthorized docs never enter the LLM context.
  • Freshness & Policy Filters: Drop outdated or policy-violating content.

3) Output Guardrails (The Final Review)

  • Toxicity Filtering: Block hateful, abusive, or unprofessional language.
  • Grounding and Citation Check: Ensure claims are supported by retrieved content.
  • Anti-Jailbreak Scan: Detect attempts to bypass rules or expose prompts.

A Simple, Practical Example: Topic Guardrail

Use a fast, inexpensive model to act as a “bouncer” for relevance. Prompt:

You are a topic classification guardrail. Your job is to determine if a user query is related to our company's software products. Respond with only a single word: RELEVANT or IRRELEVANT.

User Query: ""

Pseudocode logic:

def handle_user_query(user_query):
    # Use a fast, cheap LLM (like Gemini Flash) for this check
    topic_result = check_topic_relevance_with_llm(user_query)  # returns "RELEVANT" or "IRRELEVANT"

    if topic_result == "RELEVANT":
        # Proceed with the full RAG process
        answer = run_rag_pipeline(user_query)
        return answer
    else:
        # If off-topic, block and set expectation
        return "I'm sorry, I can only answer questions related to our software products."

# Example usage
handle_user_query("How do I reset my password?")  # -> Proceeds to RAG
handle_user_query("What are your thoughts on the upcoming election?")  # -> Blocked

Engineering for Reliability: It's Still Software

  • Modularity: Compose small, specialized components (input, retrieval, generation) rather than one monolith.
  • Observability: Structured logging of query, retrieved docs, and final answer for troubleshooting.
  • Least Privilege: Grant only the minimum permissions required. Limit blast radius by design.

Final Thoughts

Implementing guardrails isn't just a technical task—it's core to responsible AI development. With a layered defense—from input screening and access control to output checks—we can build RAG systems and agents that are powerful, safe, and genuinely helpful.