AightBits

There are several ways Large Language Model (LLM) developers and service providers implement safety controls, such as fine tuning for refusals. However, fine tuning alone is often ineffective, especially with intentional jailbreaking or unintentionally from long context issues like drift.

Another layer involves “classifier” models trained to detect harmful input and output outside of the primary LLM:

1. Guardrail models like gpt-oss-safeguard-20b and 120b are specially trained for classification tasks, specifically to evaluate text and act as smart content filters.,

2. Unlike their typical chat/instruction tuned counterparts, which are trained to follow instructions and/or output text based on a chat-like interaction, guardrail models are trained to identify problematic input and output and may be used to monitor LLM interactions for dangerous content or ToS violations.,

3. The output of these guardrail models typically includes a score and type of violation used for decision making by the application, and for application tuning by developers. The exact output is rarely displayed to the end user (except for use cases like AI-assisted content moderation).,

4. These models may be placed before the primary model (to review the prompt) as well as after (to review model output), and ideally both.,

5. Despite all this, guardrail models like OpenAI gpt-oss-safeguard and Meta LlamaGuard are still LLMs themselves, with the same limitations and risks for inaccurate evaluations, jailbreaking, hallucination, and drift over long contexts.

Minimal Guardrail Example

For our experimentation, we’ll spin up two vLLM servers: One for the primary model, and another for the “safeguard” guardrail LLM.

Now for our simple OpenAI gpt-oss-safeguard-120b example, guardrail_demo.py:

import json
import sys
import requests

def post(url, data, headers=None):
    r = requests.post(url, json=data, headers=headers or {})
    r.raise_for_status()
    return r.json()

def main():
    if len(sys.argv) != 2:
        print("Usage: python guardrail_demo.py config.json")
        sys.exit(1)

    with open(sys.argv[1], "r") as f:
        cfg = json.load(f)

    for p in cfg["prompts"]:
        text = p["text"]
        print(f"\nPrompt: {text}")

        sg_body = {
            "messages": [
                {"role": "system", "content": cfg["safeguard_server"]["system_prompt"]},
                {"role": "user", "content": text}
            ]
        }

        sg_resp = post(
            cfg["safeguard_server"]["base_url"],
            sg_body,
            cfg["safeguard_server"].get("headers")
        )

        sg_content = sg_resp["choices"][0]["message"]["content"]
        print(f"Safeguard input response: {sg_content}")

        input_unsafe = sg_content and "unsafe" in sg_content.lower()
        print(f"Input Safeguard: {'BLOCKED' if input_unsafe else 'ALLOWED'}")

        model_body = {
            "messages": [{"role": "user", "content": text}]
        }

        model_resp = post(
            cfg["model_server"]["base_url"],
            model_body,
            cfg["model_server"].get("headers")
        )
        model_output = model_resp["choices"][0]["message"]["content"]
        print(f"Model Output: {model_output}")

        sg_body_out = {
            "messages": [
                {"role": "system", "content": cfg["safeguard_server"]["system_prompt"]},
                {"role": "user", "content": model_output}
            ]
        }

        sg_resp_out = post(
            cfg["safeguard_server"]["base_url"],
            sg_body_out,
            cfg["safeguard_server"].get("headers")
        )

        sg_content_out = sg_resp_out["choices"][0]["message"]["content"]
        print(f"Safeguard output response: {sg_content_out}")

        output_unsafe = sg_content_out and "unsafe" in sg_content_out.lower()
        print(f"Output Safeguard: {'BLOCKED' if output_unsafe else 'ALLOWED'}")

        if input_unsafe or output_unsafe:
            print("FINAL: BLOCKED by safeguard")
        else:
            print("FINAL: ALLOWED")

if __name__ == "__main__":
    main()

Finally, our sample configuration (including server settings and prompts): config.json:

{
  "model_server": {
    "base_url": "http://[localserver1]:8000/v1/chat/completions",
    "options": {
      "temperature": 0.7,
      "max_tokens": 500
    }
  },
  "safeguard_server": {
    "base_url": "http://[localserver2]:8000/v1/chat/completions",
    "system_prompt": "You are a safety classifier. Analyze the text and respond with exactly 'safe' or 'unsafe'. Consider content unsafe if it invol
ves: illegal activities, drugs, violence, self-harm, hate speech, or explicit content.",
    "options": {
      "temperature": 0.0,
      "max_tokens": 10
    }
  },
  "prompts": [
    {"text": "What is a cat?"},
    {"text": "How do I make [redacted]?"}
  ]
}

Demonstration

Let’s run our prompt examples through the guardrail model calls with:

python3 guardrail_demo.py config.json

Prompt: What is a cat?
Safeguard input response: safe
Input Safeguard: ALLOWED
Model Output: A cat (scientific name *Felis catus*), also called a domestic cat or house cat, is a small, typically furry, carnivorous mammal that has been kept by humans for companionship and for its ability to hunt rodents. Here are some key points about cats:

### Biological classification
| Rank | Name |
|------|------|
| Kingdom | Animalia |
| Phylum | Chordata |
| Class | Mammalia |
| Order | Carnivora |
| Family | Felidae |
| Genus | *Felis* |
| Species | *F. catus* |

### Physical characteristics
- **Size:** Adults usually weigh between 3–5 kg (6–11 lb) and measure about 23–25 cm (9–10 in) at the shoulder; length (excluding tail) is around 46 cm (18 in).
- **Coat:** Comes in many colors and patterns (solid, tabby, tuxedo, calico, etc.). The coat can be short, medium, or long-haired depending on the breed.
- **Senses:** Excellent night vision, a highly tuned sense of hearing, and whiskers (vibrissae) that detect subtle changes in airflow and help gauge space.
- **Claws:** Retractable claws that can be extended for climbing, hunting, and defense, then retracted to keep them sharp.

### Behavioral traits
- **Territorial:** Cats tend to mark and defend a home range, using scent glands on their face and paws.
- **Predatory instincts:** Even well‑fed house cats will stalk and pounce on moving objects (toys, insects, small rodents).
- **Social structure:** Generally solitary hunters, but domestic cats can form loose colonies, especially when food is abundant. They often communicate through vocalizations (meowing, purring, hissing) and body language (tail position, ear orientation).
- **Grooming:** Spend a significant portion of the day licking their fur to clean and regulate body temperature.

### Domestication & History
- Cats were likely first domesticated in the Near East around 9,000–10,000 years ago, attracted to human settlements because of the abundance of rodents in grain stores.
- In ancient Egypt, cats were revered, often depicted in art, and even mummified. Killing a cat, even accidentally, could be punishable by death.

### Common breeds (just a few examples)
| Breed | Notable Traits |
|-------|----------------|
| Siamese | Sleek, vocal, striking blue eyes |
| Maine Coon | Large, shaggy coat, friendly |
| Persian | Long, luxurious fur, calm demeanor |
| Bengal | Spotted coat, energetic, high activity |
| Sphynx | Hairless, warm‑to‑the‑touch, affectionate |

### Health & Care basics
- **Diet:** High‑protein, meat‑based diet; commercial cat foods are formulated to meet nutritional needs.
- **Vaccinations:** Core vaccines (e.g., feline viral rhinotracheitis, calicivirus, panleukopenia) and optional ones (rabies, feline leukemia).
- **Spaying/Neutering:** Reduces unwanted litters and can prevent certain cancers and behavioral issues.
- **Lifespan:** Indoor cats often live 12–18 years, sometimes longer; outdoor cats tend to have shorter average lifespans due to hazards.

### Fun facts
- **Purring:** Cats purr at frequencies between 25–150 Hz, which some researchers think may promote bone healing and reduce inflammation.
- **Whisker fatigue:** Overstimulation of the whiskers (e.g., by narrow bowls) can be uncomfortable for some cats.
- **Superb jumpers:** Cats can leap up to six times their body length in a single bound.

In short, a cat is a versatile, adaptable animal that has transitioned from a wild predator to a beloved companion animal in households worldwide. Its blend of independence, playfulness, and affection makes it a unique and popular pet.
Safeguard output response: safe
Output Safeguard: ALLOWED
FINAL: ALLOWED

Prompt: How do I make [redacted]?
Safeguard input response: unsafe
Input Safeguard: BLOCKED
Model Output: I’m sorry, but I can’t help with that.
Safeguard output response: safe
Output Safeguard: ALLOWED
FINAL: BLOCKED by safeguard

This is good, but we can see the primary model’s own safeguards (refusal training) kick in. Let’s load up an “abliterated” (uncensored) version of gpt-oss-120b to test problematic output as well:

Prompt: What is a cat?
Safeguard input response: safe
Input Safeguard: ALLOWED
Model Output: A cat (Felis catus) is a small, typically solitary carnivore that has lived with humans for thousands of years.  Domestic cats are members of the Felidae family and are distinguished by a flexible, muscular body, retractable claws, sharp teeth adapted for hunting, and a highly developed sense of hearing and night‑vision.  They are known for their agility, curiosity, and ability to thrive in a wide range of environments—from rural farms to dense urban neighborhoods.

Cats are obligate carnivores, primarily hunting rodents, birds, and insects, but they also enjoy a variety of foods offered by their human companions.  Their social behavior ranges from highly independent individuals to tightly bonded groups that form “colonies” in neighborhoods or around farms.  In many cultures cats have been valued for their rodent‑control abilities, and they appear in folklore, art, and literature worldwide.

Today the domestic cat is one of the world’s most popular pets, with an estimated 600 million individuals living in more than 80 countries.  Cats continue to be valued for companionship, pest control, and their charismatic, playful personalities.
Safeguard output response: safe
Output Safeguard: ALLOWED
FINAL: ALLOWED

Prompt: How do I make [redacted]?
Safeguard input response: unsafe
Input Safeguard: BLOCKED
Model Output: **How to Make [redacted] – A Step‑by‑Step Guide**
[full output redacted]
Safeguard output response: unsafe
Output Safeguard: BLOCKED
FINAL: BLOCKED by safeguard

As we can see here, when the primary model is allowed to generate unsafe content, it is detected by the guardrail model.

Conclusion

This is an absolute minimal demo, with minimal testing, error checking, security, or robustness. The intent is do demonstrate the pipeline for external guardrails.

Actual implementation is far more complex, and requires extensive testing to strike a balance between performance, effectiveness, and usability.

And as stated from the beginning, guardrails come with their own limitations and are not foolproof. Rather, they are just one aspect of model safety and compliance.