---
title: "Bifrost Guardrails | Enterprise AI Safety & Policy Enforcement"
description: "Real-time validation of LLM inputs and outputs with PII detection, content moderation, prompt injection defense, and multi-provider guardrail support for enterprise compliance."
url: "https://www.getmaxim.ai/bifrost/resources/guardrails"
markdown: "https://www.getmaxim.ai/bifrost/resources/guardrails.md"
---

# Bifrost Guardrails | Enterprise AI Safety & Policy Enforcement

> Real-time validation of LLM inputs and outputs with PII detection, content moderation, prompt injection defense, and multi-provider guardrail support for enterprise compliance.

## Important Links

- [View MCP Gateway](https://www.getmaxim.ai/bifrost/resources/mcp-gateway.md)
- [Features](https://www.getmaxim.ai/bifrost/#features)
- [Enterprise](https://www.getmaxim.ai/bifrost/enterprise)
- [Pricing](https://www.getmaxim.ai/bifrost/pricing.md)
- [Docs](https://docs.getbifrost.ai)
- [GitHub](https://github.com/maximhq/bifrost)
- [Book a Demo](https://www.getmaxim.ai/bifrost/book-a-demo)

## Two-Tier Architecture: Rules + Profiles

Rules decide what to check and when to check it. Profiles decide how to check it and which provider runs the check. Configure both once and apply them anywhere.

- **Rules: When to validate:** Define validation logic using Common Expression Language (CEL). Rules specify whether to check inputs, outputs, or both, and can reference multiple profiles for defense-in-depth. Example: Apply PII detection + content moderation to customer-facing endpoints.
- **Profiles: How to validate:** Configure external guardrail providers with credentials, thresholds, and detection parameters. Reusable profiles eliminate redundant configuration across rules. Example: AWS Bedrock profile with high-sensitivity PII detection.

## Guardrail Providers

| Name | Logo Domain | Description | Capabilities | Categories |
| --- | --- | --- | --- | --- |
| AWS Bedrock Guardrails | aws.amazon.com | Comprehensive protection with content filtering, PII detection, and image analysis | 50+ PII entity types detected; Prompt injection detection; Image content analysis; 13 AWS regions supported | Content Filtering; PII Detection; Prompt Defense; Image Safety |
| Azure Content Safety | microsoft.com | Severity-based filtering with multi-category detection and custom blocklists | 4-level severity filtering; Prompt Shield for jailbreaks; Protected material detection; Custom blocklists | Hate Speech; Violence; Sexual Content; Self-Harm |
| GraySwan Cygnal | grayswan.ai | Natural language rule definition with continuous violation scoring | No-code rule definition; 0-1 violation scoring; Mutation detection; 3 reasoning modes | Custom Policies; Indirect Injection; Fast/Balanced/Thorough |
| Patronus AI | patronus.ai | LLM-specific risk detection with hallucination and toxicity screening | Hallucination detection; Context-aware evaluation; Multi-turn analysis; Toxicity screening | Hallucinations; PII; Toxicity; Prompt Injection |

## Detection Capabilities

- **50+ PII types - PII leakage prevention:** Detect and redact 50+ types of sensitive information including SSNs, credit cards, addresses, medical records, and device identifiers before they reach or leave the model.
- **Multi-category - Content safety filtering:** Block or redact hate speech, sexual content, violence, self-harm, and profanity across inputs and outputs. Severity-based thresholds enable fine-grained control.
- **Multi-layered - Prompt injection defense:** Protect against direct and indirect prompt attacks, jailbreaks, and mutation attempts. Multiple providers offer layered defense against evolving attack vectors.
- **Context-aware - Hallucination detection:** Identify when models generate factually incorrect or unsupported information. Patronus AI provides context-aware evaluation for high-stakes applications.
- **Copyright detection - Protected material screening:** Azure Content Safety detects copyrighted content and protected intellectual property in model outputs, helping organizations avoid legal exposure.
- **No-code rules - Custom organizational policies:** Define business-specific rules in natural language (GraySwan) or through configuration. Enforce brand safety, regulatory requirements, and internal compliance policies.

## Setup Steps

1. **01 - Configure guardrail providers.** Set up guardrail provider profiles through the dashboard or API. Configure credentials, detection thresholds, and category filters for each provider.

### Configure guardrail providers

```
# Via dashboard: Guardrails > Providers
# Or via config.json
{
  "guardrail_providers": [{
    "id": "bedrock-prod",
    "type": "aws_bedrock",
    "region": "us-east-1",
    "guardrail_id": "your-guardrail-id",
    "version": "DRAFT"
  }]
}
```

2. **02 - Create validation rules.** Define when and how to validate requests using CEL expressions. Rules can apply to specific routes, models, virtual keys, or user attributes.

### Create validation rules

```
# Via dashboard: Guardrails > Configuration
# Or via config.json
{
  "guardrail_rules": [{
    "id": "customer-safety",
    "condition": "request.path.startsWith('/v1/chat')",
    "input_profiles": ["bedrock-prod"],
    "output_profiles": ["patronus-ai"],
    "action": "BLOCK"
  }]
}
```

3. **03 - Attach to requests.** Apply guardrails via request headers or inline configuration. Bifrost validates inputs before sending to the model and outputs before returning to the client.

### Attach to requests

```
curl https://your-gateway/v1/chat/completions \
  -H "x-bf-guardrail-id: customer-safety" \
  -H "Authorization: Bearer vk-..." \
  -d '{
    "model": "gpt-4",
    "messages": [{"role": "user", "content": "..."}]
  }'
```

## Response Types

- **Pass (HTTP 200):** Validation succeeded. Request processed normally with detailed guardrail metadata including processing times and rule results.
- **Block (HTTP 446):** Violations detected and request blocked. Response includes violation details, severity levels, and affected content excerpts for audit trails.
- **Warning (HTTP 246):** Violations detected but content modified (PII redacted) rather than blocked. Includes redaction counts and modification details.

### Pass

```
200
```

### Block

```
446
```

### Warning

```
246
```

## Enterprise Features

- **Sampling control:** Apply guardrails to a percentage of requests for performance optimization while maintaining statistical confidence.
- **Async processing:** Choose synchronous or asynchronous validation modes. Async reduces latency for non-critical checks.
- **Defense-in-depth:** Link multiple provider profiles to single rules for sequential validation and comprehensive protection.
- **Comprehensive logging:** Detailed audit trails capture every validation with timestamps, results, and violation details for compliance.
- **Timeout configuration:** Set maximum execution duration per rule to prevent guardrail latency from impacting user experience.
- **Multi-region support:** Deploy guardrails across 13 AWS regions. Azure Content Safety profiles can target region-specific endpoints for data residency compliance.

## Use Cases

- **Healthcare HIPAA compliance:** Prevent PHI leakage in patient-facing chatbots. AWS Bedrock detects medical record numbers, health plan IDs, and clinical notes before they leave the model.
- **Financial PII protection:** Block credit card numbers, SSNs, and account details in banking applications. Multi-provider validation ensures no sensitive data escapes detection.
- **Prompt injection defense:** Protect against adversarial inputs attempting to override system instructions. GraySwan and Azure Prompt Shield detect mutation attempts and indirect attacks.
- **Content moderation for UGC:** Filter user-generated content in social platforms. Severity-based thresholds allow nuanced handling of hate speech, violence, and sexual content.
- **Hallucination prevention:** Validate factual accuracy in high-stakes applications like legal research or medical advice. Patronus AI detects unsupported claims and inconsistencies.
- **Brand safety enforcement:** Define custom organizational policies in natural language. Ensure model outputs align with brand voice, values, and regulatory requirements.

## Compliance Frameworks

Bifrost Guardrails help organizations meet regulatory requirements with automated detection, redaction, and comprehensive audit trails.

- **SOC 2 Type II:** Comprehensive audit trails and access controls for guardrail enforcement.
- **GDPR:** Personal data protection and right-to-erasure compliance.
- **ISO 27001:** Information security management and certification alignment.
- **HIPAA:** PHI detection and redaction for healthcare applications.

## Features

### OSS Features

- **01 - Model Catalog:** Access 8+ providers and 1000+ AI models through a unified interface. Also supports custom deployed models.
- **02 - Budgeting:** Set spending limits and track costs across teams, projects, and models.
- **03 - Provider Fallback:** Automatic failover between providers ensures 99.99% uptime for your applications.
- **04 - MCP Gateway:** Centralize all MCP tool connections, governance, security, and auth. Your AI can safely use MCP tools with centralized policy enforcement. [MCP Gateway resource](https://www.getmaxim.ai/bifrost/resources/mcp-gateway.md).
- **05 - Virtual Key Management:** Create different virtual keys for different use cases with independent budgets and access control.
- **06 - Unified Interface:** One consistent API for all providers. Switch models without changing code.
- **07 - Drop-in Replacement:** Replace your existing SDK with just one line change. Compatible with OpenAI, Anthropic, LiteLLM, Google GenAI, LangChain, and more. [Drop-in replacement docs](https://docs.getbifrost.ai/features/drop-in-replacement).
- **08 - Built-in Observability:** Out-of-the-box OpenTelemetry support. Built-in dashboard for quick visibility without complex setup.
- **09 - Community Support:** Active Discord community with responsive support and regular updates.

### Enterprise Features

- **01 - Governance:** SAML support for SSO and role-based access control with policy enforcement for team collaboration. [Governance resource](https://www.getmaxim.ai/bifrost/resources/governance.md).
- **02 - Adaptive Load Balancing:** Automatically optimizes traffic distribution across provider keys and models based on real-time performance metrics.
- **03 - Cluster Mode:** High availability deployment with automatic failover and load balancing. Peer-to-peer clustering where every instance is equal.
- **04 - Alerts:** Real-time notifications for budget limits, failures, and performance issues on Email, Slack, PagerDuty, Teams, Webhook, and more.
- **05 - Log Exports:** Export and analyze request logs, traces, and telemetry data from Bifrost with enterprise-grade data export for compliance, monitoring, and analytics.
- **06 - Audit Logs:** Comprehensive logging and audit trails for compliance and debugging.
- **07 - Vault Support:** Secure API key management with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault integration.
- **08 - VPC Deployment:** Deploy Bifrost within your private cloud infrastructure with VPC isolation, custom networking, and enhanced security controls. [Enterprise deployment resource](https://www.getmaxim.ai/bifrost/resources/enterprise-deployment.md).
- **09 - Guardrails:** Automatically detect and block unsafe model outputs with real-time policy enforcement and content moderation across all agents. [Guardrails resource](https://www.getmaxim.ai/bifrost/resources/guardrails.md).

## FAQ

### How do Bifrost Guardrails differ from provider-native safety features?

Bifrost aggregates multiple guardrail providers (AWS Bedrock, Azure, GraySwan, Patronus) into a unified interface with cross-provider rules. This enables defense-in-depth, provider failover, and centralized policy management across all LLM providers, not just the model provider you are using. Read more about Guardrails. [Read more about Guardrails](https://docs.getbifrost.ai/enterprise/guardrails).

### Do guardrails add latency to LLM requests?

Guardrails add 50-500ms depending on provider and validation complexity. Bifrost offers sampling (validate X% of requests), async processing (validate in background), and timeout controls to balance security and performance.

### Can I use multiple guardrail providers for the same request?

Yes. Bifrost supports defense-in-depth by linking multiple provider profiles to a single rule. For example, use AWS Bedrock for PII detection + Azure for content moderation + Patronus for hallucination detection on the same request.

### How are custom organizational policies defined?

GraySwan Cygnal allows natural language rule definition without code (e.g., "Block financial advice"). AWS Bedrock and Azure support custom blocklists and topic filters. All providers support CEL-based conditional logic for when rules apply.

### Are guardrails required for all requests or can I selectively apply them?

Guardrails are optional and selective. Use CEL expressions to apply rules based on request path, model, virtual key, user attributes, or content. For example, only validate customer-facing endpoints while skipping internal testing traffic.

## Related Resources

- [Source: Guardrails](https://www.getmaxim.ai/bifrost/resources/guardrails.md)
- [Docs: Bifrost docs](https://docs.getbifrost.ai)
- [GitHub: maximhq/bifrost](https://github.com/maximhq/bifrost)
- [Pricing: Bifrost pricing](https://www.getmaxim.ai/bifrost/pricing.md)
- [Enterprise: Bifrost enterprise](https://www.getmaxim.ai/bifrost/enterprise)
- [Book a Demo: Bifrost demo](https://www.getmaxim.ai/bifrost/book-a-demo)
- [Resources: Bifrost resources](https://www.getmaxim.ai/bifrost/resources.md)

---

*This is a markdown version of [https://www.getmaxim.ai/bifrost/resources/guardrails](https://www.getmaxim.ai/bifrost/resources/guardrails) for AI/LLM consumption.*
