Skip to content
in/guard/out
in/guard/out

Reference

The guardrails glossary

The vocabulary of LLM security, defined in a paragraph each – from the attacks (prompt injection, tool poisoning, rug pulls) to the defenses (grounding, taint tracking, manifest pinning) to the operating concepts (runs, tiers, modes). Each term links to the page that treats it in depth.

§01 30 terms, A–Z

Action grounding

A check that the consequential arguments of a tool call – an IBAN, an email recipient, an amount, an ID – appear somewhere in the sources the agent legitimately read during the run. An ungrounded value is fabricated or injected.

AI gateway

A proxy focused on model routing, caching, key management, and rate limiting across providers. Complementary to a guardrails proxy, which focuses on safety enforcement.

AI guardrails

Runtime checks around a language model that enforce rules the model itself cannot guarantee – on inputs, outputs, and (for agents) actions.

Canary token

A unique marker seeded into a system prompt. If it ever appears in model output, the prompt leaked – detected deterministically, with no classifier judgment involved.

Denial of wallet

An attack (or bug) that drives up an application’s model spend – runaway loops, oversized contexts, repeated retries. Countered with per-run cost budgets enforced before each call.

Excessive agency

OWASP LLM06: an agent holding more tools, permissions, or autonomy than its task needs, so errors or attacks convert into real-world damage.

Fact-check judge

A guard model that evaluates whether an answer’s claims are supported by the provided material – flagging unsupported claims, contradictions, and overconfident extrapolation.

FIX mode

The proxy’s observe-and-repair mode: violations are repaired where safe (arithmetic corrected, JSON re-parsed, profanity censored) and otherwise flagged and recorded, without blocking.

Grounding

Verifying that a model’s output is supported by its sources – deterministically for numbers and identifiers, via a judge for claims, via retrieval for external facts.

Guard model

A model used to check another model’s work – a judge, safety classifier, or critic. Guard-model calls are metered into the request and run cost like any other.

Hallucination

Model output stated as fact but unsupported by the input or reality: altered figures, fabricated references, contradictions, or unearned certainty.

Indirect prompt injection

Prompt injection delivered through content the model reads on the user’s behalf – a web page, PDF, email, or tool result – rather than typed by the user.

Jailbreak

Direct prompt injection: a user talking the model out of its rules via personas, role-play, or instruction-override framing.

Loop guard

A check that fingerprints an agent’s tool calls (name plus arguments) across a run and flags or blocks identical repeats past a threshold – catching runaway loops early.

Manifest pinning

Recording an MCP server’s tool manifest at registration and flagging any later drift – new tools, changed descriptions – before further calls are forwarded. The defense against rug pulls.

MCP (Model Context Protocol)

The emerging standard for connecting AI agents to tools: clients discover a server’s tools from its manifest, call them, and read the results into context.

MCP gateway

A proxy that speaks MCP between an agent and its servers, inspecting each tools/call before forwarding, scanning results, and pinning manifests. A deny is a protocol error the client cannot ignore.

Permission tiers

Risk levels assigned to tools – read < network < write < exec < delete < payment – so policy can tighten with consequence, including human approval for designated tiers.

PII screening

Detecting personal data in a request and replacing it with stable placeholders before it leaves for the model provider, then restoring the real values on the response path.

PREVENT mode

The proxy’s enforcement mode: a violating request or response fails closed with a 422 carrying the reason – it never reaches the provider or your user.

Prompt firewall

A detection product that classifies inputs (and sometimes outputs) for injection and abuse. Detection-focused; typically without output grounding or agent action enforcement.

Prompt injection

An attack where text the model reads carries instructions the model follows – exploiting the fact that models have no channel separation between instructions and data.

Rug pull (MCP)

An MCP server whose tool manifest changes after being vetted – new tools appear or descriptions gain payloads, silently. Made visible by manifest pinning.

Run

The full lifecycle of one agent task: many model requests, tool calls, and workflow steps correlated by a session id, with one budget, one trace, and one audit trail.

Sequence policy

A declarative ordering grammar over an agent’s tool calls – “pay requires a prior vendor lookup”, “send_email at most 3 times” – enforced as a state machine over the run.

System prompt leakage

OWASP LLM07: extraction of the system prompt – and any logic or secrets in it – through the model’s own output. Detected via canary tokens and extraction-pattern scanning.

Taint tracking

Following screened PII, detected secrets, and canaries through an agent’s run and blocking them from leaving via tool-call arguments – possible because the proxy created the placeholders.

Tool poisoning

An MCP attack where a tool’s manifest description carries instructions aimed at the model – ingested as documentation during discovery, read as orders.

Tool-result scanning

Injection-scanning everything a tool returns before it re-enters the model’s context – the layer that addresses indirect injection where it actually arrives in agent loops.

Unbounded consumption

OWASP LLM10: token and cost consumption without limits – loops, denial-of-wallet, oversized traffic. Countered by per-run cost, step, and tool budgets.

Every term on this page is a check on the wire.

The glossary is the product’s feature list wearing its academic hat. We’re running a limited demo – sign up and we’ll get you in as soon as we can.