--- title: Static Guardrails in AI: Ensuring Safety and Compliance, Part 2 description: Part 2 of the Static Guardrails series. Why pattern-matching fails, what non-deterministic guardrails actually are, the "higher-level leakage" problem, and a practical layered-guardrail pattern for enterprise AI agents. url: https://ziosec.com/blog/static-guardrails-in-ai-ensuring-safety-and-compliance-part-2 category: Blog publishedAt: 2026-04-23 author: Javier Rivera authorRole: Principal Security Researcher tags: ai-guardrails, llm-security, ai-agent-security, enterprise-ai, non-deterministic-guardrails --- # Static Guardrails in AI: Ensuring Safety and Compliance, Part 2 *This is Part 2 of the Static Guardrails series. [Read Part 1](/blog/static-guardrails-in-ai-ensuring-safety-and-compliance) for a foundation on deterministic/static guardrails and the four-pillar placement model.* ## TL;DR * Static guardrails can't catch everything. Pattern-matching and blocklists fail against semantic attacks, indirect prompt injection, and emergent agent behavior. * Non-deterministic guardrails use models to watch models. A classifier, a smaller judge model, or an LLM-as-judge evaluates the agent's intermediate reasoning and outputs in real time. * "Higher-level leakage" is the problem where sensitive information escapes not through a string match, but through the *shape* of a response: inference, summarization, or paraphrase that evades static filters. * Enterprise deployments need layered guardrails. Static for known patterns, non-deterministic for context and intent, adversarial testing to close the gap. * ZioSec's platform tests both layers against harness-agnostic workloads (Claude Code, OpenClaw, custom agents) and maps findings to OWASP ASI, MITRE ATLAS, ISO 42001, NIST AI RMF, and AIUC-1. --- ## Where Static Guardrails Stop Working In Part 1 we covered the four placement points for static, rule-based guardrails: Input Boundary, Around Tools and Data, Around Model Calls, and Output Boundary. They are fast, predictable, cost-effective, and auditable. For known attack patterns, they are irreplaceable. But the enterprise AI agents our customers deploy, the ones built on Claude Code, OpenClaw, or custom harnesses orchestrating tool calls across internal APIs, keep running into a class of failure that static guardrails cannot address: * A user asks for "a summary of the last quarter's top deals" and the agent obligingly paraphrases what amounts to the top-customer list, without ever producing a single SSN, account number, or pattern the regex was looking for. * An indirect prompt injection embedded in a PDF the agent summarizes tells the agent, in polite and well-formed prose, to exfiltrate a tool's access token through the next tool call. * A jailbreak written as poetry bypasses every alignment filter because none of the tokens match known malicious patterns. Static guardrails did not fail. They simply were not asked the right question. The right question is not "does this input match a bad pattern?" It is "does this input, or this response, violate the *intent* of the policy?" That is a judgment. Judgment requires a model. ## What Non-Deterministic Guardrails Actually Are A non-deterministic guardrail is a model, typically smaller, faster, and purpose-fit, that sits alongside the agent and evaluates either the agent's inputs, intermediate reasoning, tool calls, or final outputs against a policy. The evaluation is probabilistic. The guardrail says "this looks like a prompt injection with 94% confidence" or "this response appears to leak PII with high confidence" rather than "this matches regex /\d{3}-\d{2}-\d{4}/." Three common architectures: ### 1. Classifier Guardrails A dedicated classifier (logistic regression, a small transformer, or a fine-tuned encoder) trained on a labeled corpus of safe vs. unsafe examples. Fast enough to run on every request, cheap enough to run at scale, but only as good as its training data. Classifiers are the workhorse of real-time moderation. ### 2. LLM-as-Judge A general-purpose LLM (often a smaller or cheaper model than the one running the agent) is prompted with the agent's output and a policy document, and asked to rate compliance. More expressive than a classifier, more expensive per call, and subject to its own hallucinations. Best for high-stakes decisions where the extra cost is justified. ### 3. Semantic Similarity and Embedding Guardrails Inputs and outputs are embedded and compared against vectors representing known policy violations. Effective against paraphrased attacks and indirect attempts. Struggles against genuinely novel attacks that live far from any labeled example. Enterprises rarely pick one. They layer them. Embedding similarity as a fast first pass, classifier for the bulk of traffic, LLM-as-judge for the small slice that matters most. ## The "Higher-Level Leakage" Problem The reason non-deterministic guardrails are non-negotiable in enterprise deployments is that sensitive information has two levels of exposure: 1. **Low-level leakage:** a literal string that matches a pattern. Credit card numbers, SSNs, API keys, internal hostnames. Static guardrails catch this all day. 2. **Higher-level leakage:** information inferred, summarized, paraphrased, or reconstructed from context. No single string is sensitive. The *shape* of the response is. Examples from real enterprise incidents: * An internal-research assistant asked to "describe the company's Q3 priorities" produces an accurate summary of an unreleased strategic plan. No document ID leaks. The summary is the leak. * A customer-support agent asked "what's the shortest time someone has been approved for our gold tier?" answers correctly, with a number that reveals a VIP customer's onboarding timeline. No name leaks. The shape leaks. * An internal code assistant, given access to two repositories, answers "which of these two codebases has the more recent security patch?" The *fact* of the comparison tells the questioner which system to target. No source code leaks. The comparison leaks. Static rules cannot catch these because no pattern is ever violated. A non-deterministic guardrail, prompted with the right policy ("do not reveal information about unreleased plans, VIP customer timelines, or comparative security posture"), can. ## The Cost of Non-Deterministic Guardrails Nothing is free. Non-deterministic guardrails introduce four real costs: * **Latency.** Every request now runs through an additional model call. Classifier guardrails add 20 to 80ms. LLM-as-judge can add 500ms to 2 seconds. For synchronous user-facing agents, this matters. * **Cost.** Every protected call becomes two (or three) calls. At enterprise volume, this is a real line item. * **False positives.** A classifier that is 99% accurate produces thousands of false positives per million requests. Each false positive is a user who was blocked from a legitimate action and is now filing a ticket. A tuning process is non-optional. * **A new thing to secure.** The guardrail model itself has a prompt injection surface, a bypass surface, and a supply-chain surface. You now have two models to threat-model, not one. The enterprise calculation: if the agent is acting on valuable data or executing consequential actions, layered non-deterministic guardrails pay back many times over. If the agent is a toy, don't bother. The hard part is everything in the middle. ## A Practical Layering Pattern What works in enterprise deployments, distilled from the engagements we see most often: 1. **Static guardrails at the Input Boundary.** Block the obvious junk and the known bad patterns cheaply before spending any model tokens. 2. **Embedding-similarity check** against known policy-violation examples. Catches paraphrased attacks at sub-100ms latency. 3. **Classifier guardrail** for the bulk of the traffic. Trained on your own labeled incidents, not a generic dataset. This is the one that actually gets better over time. 4. **LLM-as-judge** for the top 1 to 5% of high-stakes outputs. The tool-call arguments that will trigger a financial transaction, the summary that will be sent externally, the inter-agent message that crosses a trust boundary. 5. **Static guardrails at the Output Boundary.** Last-chance PII redaction, known-secret scanning, specific-content blocks. Layer one catches the cheap stuff. Layer five catches what you forgot. Layers two through four are where the judgment lives, and they are what static rules alone cannot do. ## Where ZioSec Fits Guardrails are only as good as the adversarial testing behind them. A layered defense that was never tested is a theory, not a control. ZioSec's platform runs AI-generated attack chains, millions of combinations across model, protocol, and tool layers, against the full guardrail stack in place, regardless of the harness underneath. Whether the agent is running on Claude Code, OpenClaw, a custom harness, or a mix, the attack surface is the same shape and we test it the same way. Findings map directly to the frameworks your security and compliance teams are already reporting against: OWASP ASI, MITRE ATLAS, ISO 42001, NIST AI RMF, and AIUC-1. You get evidence that your non-deterministic guardrails catch what they are supposed to catch, where your layering has gaps, and what to remediate first. **If you're deploying an agent with guardrails today and you don't yet have adversarial test coverage, [schedule a pentest with our team](/ai-agent-pentesting).** The starting engagement is $10,000 and 100% of the fee applies as credit toward an annual platform subscription. ## FAQ **When should I choose a classifier guardrail over an LLM-as-judge?** Classifiers for volume and speed (every request, low latency, tuned to your incident corpus). LLM-as-judge for a narrow slice of high-stakes decisions where the extra cost and latency are justified by the consequence. **Are non-deterministic guardrails auditable?** Less auditable than static rules, more auditable than nothing. Log the guardrail's score, the policy it evaluated against, and the input/output pair. That record is sufficient for most ISO 42001, NIST AI RMF, and EU AI Act evidence requirements. **Do guardrails eliminate the need for adversarial testing?** No. Guardrails are a control. Adversarial testing is how you know the control works. Enterprises that ship guardrails without testing them are shipping theater. **What's "higher-level leakage" in one sentence?** Sensitive information escaping not through a specific string, but through the shape of a paraphrase, summary, comparison, or inference. **How do I start?** Inventory where your agents handle sensitive data. Pick one classifier-grade use case and one LLM-as-judge use case. Instrument the logs. Run adversarial testing against both. Iterate. --- *Next in the series: a deeper look at runtime policy enforcement and how to make your guardrails themselves part of the attack surface an adversary must overcome.*