Reference
The guardrails glossary
The vocabulary of LLM security, defined in a paragraph each – from the attacks (prompt injection, tool poisoning, rug pulls) to the defenses (grounding, taint tracking, manifest pinning) to the operating concepts (runs, tiers, modes). Each term links to the page that treats it in depth.
Action grounding
A check that the consequential arguments of a tool call – an IBAN, an email recipient, an amount, an ID – appear somewhere in the sources the agent legitimately read during the run. An ungrounded value is fabricated or injected.
AI gateway
A proxy focused on model routing, caching, key management, and rate limiting across providers. Complementary to a guardrails proxy, which focuses on safety enforcement.
AI guardrails
Runtime checks around a language model that enforce rules the model itself cannot guarantee – on inputs, outputs, and (for agents) actions.
Canary token
A unique marker seeded into a system prompt. If it ever appears in model output, the prompt leaked – detected deterministically, with no classifier judgment involved.
Denial of wallet
An attack (or bug) that drives up an application’s model spend – runaway loops, oversized contexts, repeated retries. Countered with per-run cost budgets enforced before each call.
Excessive agency
OWASP LLM06: an agent holding more tools, permissions, or autonomy than its task needs, so errors or attacks convert into real-world damage.
Fact-check judge
A guard model that evaluates whether an answer’s claims are supported by the provided material – flagging unsupported claims, contradictions, and overconfident extrapolation.
FIX mode
The proxy’s observe-and-repair mode: violations are repaired where safe (arithmetic corrected, JSON re-parsed, profanity censored) and otherwise flagged and recorded, without blocking.
Grounding
Verifying that a model’s output is supported by its sources – deterministically for numbers and identifiers, via a judge for claims, via retrieval for external facts.
Guard model
A model used to check another model’s work – a judge, safety classifier, or critic. Guard-model calls are metered into the request and run cost like any other.
Hallucination
Model output stated as fact but unsupported by the input or reality: altered figures, fabricated references, contradictions, or unearned certainty.
Indirect prompt injection
Prompt injection delivered through content the model reads on the user’s behalf – a web page, PDF, email, or tool result – rather than typed by the user.
Jailbreak
Direct prompt injection: a user talking the model out of its rules via personas, role-play, or instruction-override framing.
Loop guard
A check that fingerprints an agent’s tool calls (name plus arguments) across a run and flags or blocks identical repeats past a threshold – catching runaway loops early.
Manifest pinning
Recording an MCP server’s tool manifest at registration and flagging any later drift – new tools, changed descriptions – before further calls are forwarded. The defense against rug pulls.
MCP (Model Context Protocol)
The emerging standard for connecting AI agents to tools: clients discover a server’s tools from its manifest, call them, and read the results into context.
MCP gateway
A proxy that speaks MCP between an agent and its servers, inspecting each tools/call before forwarding, scanning results, and pinning manifests. A deny is a protocol error the client cannot ignore.
Permission tiers
Risk levels assigned to tools – read < network < write < exec < delete < payment – so policy can tighten with consequence, including human approval for designated tiers.
PII screening
Detecting personal data in a request and replacing it with stable placeholders before it leaves for the model provider, then restoring the real values on the response path.
PREVENT mode
The proxy’s enforcement mode: a violating request or response fails closed with a 422 carrying the reason – it never reaches the provider or your user.
Prompt firewall
A detection product that classifies inputs (and sometimes outputs) for injection and abuse. Detection-focused; typically without output grounding or agent action enforcement.
Prompt injection
An attack where text the model reads carries instructions the model follows – exploiting the fact that models have no channel separation between instructions and data.
Rug pull (MCP)
An MCP server whose tool manifest changes after being vetted – new tools appear or descriptions gain payloads, silently. Made visible by manifest pinning.
Run
The full lifecycle of one agent task: many model requests, tool calls, and workflow steps correlated by a session id, with one budget, one trace, and one audit trail.
Sequence policy
A declarative ordering grammar over an agent’s tool calls – “pay requires a prior vendor lookup”, “send_email at most 3 times” – enforced as a state machine over the run.
System prompt leakage
OWASP LLM07: extraction of the system prompt – and any logic or secrets in it – through the model’s own output. Detected via canary tokens and extraction-pattern scanning.
Taint tracking
Following screened PII, detected secrets, and canaries through an agent’s run and blocking them from leaving via tool-call arguments – possible because the proxy created the placeholders.
Tool poisoning
An MCP attack where a tool’s manifest description carries instructions aimed at the model – ingested as documentation during discovery, read as orders.
Tool-result scanning
Injection-scanning everything a tool returns before it re-enters the model’s context – the layer that addresses indirect injection where it actually arrives in agent loops.
Unbounded consumption
OWASP LLM10: token and cost consumption without limits – loops, denial-of-wallet, oversized traffic. Countered by per-run cost, step, and tool budgets.
Every term on this page is a check on the wire.
The glossary is the product’s feature list wearing its academic hat. We’re running a limited demo – sign up and we’ll get you in as soon as we can.