LogoLogo
Python SDKSlack
  • Documentation
  • Cookbooks
  • Self-Hosting
  • Release Notes
  • Reference
  • Arize AI
  • Quickstarts
  • ✨Arize Copilot
  • Arize AI for Agents
  • Concepts
    • Agent Evaluation
    • Tracing
      • What is OpenTelemetry?
      • What is OpenInference?
      • Openinference Semantic Conventions
    • Evaluation
  • 🧪Develop
    • Quickstart: Experiments
    • Datasets
      • Create a dataset
      • Update a dataset
      • Export a dataset
    • Experiments
      • Run experiments
      • Run experiments with code
        • Experiments SDK differences in AX vs Phoenix
        • Log experiment results via SDK
      • Evaluate experiments
      • Evaluate experiment with code
      • CI/CD with experiments
        • Github Action Basics
        • Gitlab CI/CD Basics
      • Download experiment
    • Prompt Playground
      • Use tool calling
      • Use image inputs
      • Replay spans
      • Compare prompts side-by-side
      • Load a dataset into playground
      • Save playground outputs as an experiment
      • ✨Copilot: prompt builder
    • Playground Integrations
      • OpenAI
      • Azure OpenAI
      • AWS Bedrock
      • VertexAI
      • Custom LLM Models
    • Prompt Hub
  • 🧠Evaluate
    • Online Evals
      • Run evaluations in the UI
      • Run evaluations with code
      • Test LLM evaluator in playground
      • View task details & logs
      • ✨Copilot: Eval Builder
      • ✨Copilot: Eval Analysis
      • ✨Copilot: RAG Analysis
    • Experiment Evals
    • LLM as a Judge
      • Custom Eval Templates
      • Arize Templates
        • Agent Tool Calling
        • Agent Tool Selection
        • Agent Parameter Extraction
        • Agent Path Convergence
        • Agent Planning
        • Agent Reflection
        • Hallucinations
        • Q&A on Retrieved Data
        • Summarization
        • Code Generation
        • Toxicity
        • AI vs Human (Groundtruth)
        • Citation
        • User Frustration
        • SQL Generation
    • Code Evaluations
    • Human Annotations
  • 🔭Observe
    • Quickstart: Tracing
    • Tracing
      • Setup tracing
      • Trace manually
        • Trace inputs and outputs
        • Trace function calls
        • Trace LLM, Retriever and Tool Spans
        • Trace prompt templates & variables
        • Trace as Inferences
        • Send Traces from Phoenix -> Arize
        • Advanced Tracing (OTEL) Examples
      • Add metadata
        • Add events, exceptions and status
        • Logging Latent Metadata
        • Add attributes, metadata and tags
        • Send data to a specific project
        • Get the current span context and tracer
      • Configure tracing options
        • Configure OTEL tracer
        • Mask span attributes
        • Redact sensitive data from traces
        • Instrument with OpenInference helpers
      • Query traces
        • Filter Traces
          • Time Filtering
        • Export Traces
        • ✨AI Powered Search & Filter
        • ✨AI Powered Trace Analysis
        • ✨AI Span Analysis & Evaluation
    • Tracing Integrations
      • OpenAI
      • OpenAI Agents SDK
      • LlamaIndex
      • LlamaIndex Workflows
      • LangChain
      • LangGraph
      • Hugging Face smolagents
      • Autogen
      • Google GenAI (Gemini)
      • Model Context Protocol (MCP)
      • Vertex AI
      • Amazon Bedrock
      • Amazon Bedrock Agents
      • MistralAI
      • Anthropic
      • LangFlow
      • Haystack
      • LiteLLM
      • CrewAI
      • Groq
      • DSPy
      • Guardrails AI
      • Prompt flow
      • Vercel AI SDK
      • Llama
      • Together AI
      • OpenTelemetry (arize-otel)
      • BeeAI
    • Evals on Traces
    • Guardrails
    • Sessions
    • Dashboards
      • Dashboard Widgets
      • Tracking Token Usage
      • ✨Copilot: Dashboard Widget Creation
    • Monitors
      • Integrations: Monitors
        • Slack
          • Manual Setup
        • OpsGenie
        • PagerDuty
      • LLM Red Teaming
    • Custom Metrics & Analytics
      • Arize Query Language Syntax
        • Conditionals and Filters
        • All Operators
        • All Functions
      • Custom Metric Examples
      • ✨Copilot: ArizeQL Generator
  • 📈Machine Learning
    • Machine Learning
      • User Guide: ML
      • Quickstart: ML
      • Concepts: ML
        • What Is A Model Schema
        • Delayed Actuals and Tags
        • ML Glossary
      • How To: ML
        • Upload Data to Arize
          • Pandas SDK Example
          • Local File Upload
            • File Upload FAQ
          • Table Ingestion Tuning
          • Wildcard Paths for Cloud Storage
          • Troubleshoot Data Upload
          • Sending Data FAQ
        • Monitors
          • ML Monitor Types
          • Configure Monitors
            • Notifications Providers
          • Programmatically Create Monitors
          • Best Practices for Monitors
        • Dashboards
          • Dashboard Widgets
          • Dashboard Templates
            • Model Performance
            • Pre-Production Performance
            • Feature Analysis
            • Drift
          • Programmatically Create Dashboards
        • Performance Tracing
          • Time Filtering
          • ✨Copilot: Performance Insights
        • Drift Tracing
          • ✨Copilot: Drift Insights
          • Data Distribution Visualization
          • Embeddings for Tabular Data (Multivariate Drift)
        • Custom Metrics
          • Arize Query Language Syntax
            • Conditionals and Filters
            • All Operators
            • All Functions
          • Custom Metric Examples
          • Custom Metrics Query Language
          • ✨Copilot: ArizeQL Generator
        • Troubleshoot Data Quality
          • ✨Copilot: Data Quality Insights
        • Explainability
          • Interpreting & Analyzing Feature Importance Values
          • SHAP
          • Surrogate Model
          • Explainability FAQ
          • Model Explainability
        • Bias Tracing (Fairness)
        • Export Data to Notebook
        • Automate Model Retraining
        • ML FAQ
      • Use Cases: ML
        • Binary Classification
          • Fraud
          • Insurance
        • Multi-Class Classification
        • Regression
          • Lending
          • Customer Lifetime Value
          • Click-Through Rate
        • Timeseries Forecasting
          • Demand Forecasting
          • Churn Forecasting
        • Ranking
          • Collaborative Filtering
          • Search Ranking
        • Natural Language Processing (NLP)
        • Common Industry Use Cases
      • Integrations: ML
        • Google BigQuery
          • GBQ Views
          • Google BigQuery FAQ
        • Snowflake
          • Snowflake Permissions Configuration
        • Databricks
        • Google Cloud Storage (GCS)
        • Azure Blob Storage
        • AWS S3
          • Private Image Link Access Via AWS S3
        • Kafka
        • Airflow Retrain
        • Amazon EventBridge Retrain
        • MLOps Partners
          • Algorithmia
          • Anyscale
          • Azure & Databricks
          • BentoML
          • CML (DVC)
          • Deepnote
          • Feast
          • Google Cloud ML
          • Hugging Face
          • LangChain 🦜🔗
          • MLflow
          • Neptune
          • Paperspace
          • PySpark
          • Ray Serve (Anyscale)
          • SageMaker
            • Batch
            • RealTime
            • Notebook Instance with Greater than 20GB of Data
          • Spell
          • UbiOps
          • Weights & Biases
      • API Reference: ML
        • Python SDK
          • Pandas Batch Logging
            • Client
            • log
            • Schema
            • TypedColumns
            • EmbeddingColumnNames
            • ObjectDetectionColumnNames
            • PromptTemplateColumnNames
            • LLMConfigColumnNames
            • LLMRunMetadataColumnNames
            • NLP_Metrics
            • AutoEmbeddings
            • utils.types.ModelTypes
            • utils.types.Metrics
            • utils.types.Environments
          • Single Record Logging
            • Client
            • log
            • TypedValue
            • Ranking
            • Multi-Class
            • Object Detection
            • Embedding
            • LLMRunMetadata
            • utils.types.ModelTypes
            • utils.types.Metrics
            • utils.types.Environments
        • Java SDK
          • Constructor
          • log
          • bulkLog
          • logValidationRecords
          • logTrainingRecords
        • R SDK
          • Client$new()
          • Client$log()
        • Rest API
    • Computer Vision
      • How to: CV
        • Generate Embeddings
          • How to Generate Your Own Embedding
          • Let Arize Generate Your Embeddings
        • Embedding & Cluster Analyzer
        • ✨Copilot: Embedding Summarization
        • Similarity Search
        • Embedding Drift
        • Embeddings FAQ
      • Integrations: CV
      • Use Cases: CV
        • Image Classification
        • Image Segmentation
        • Object Detection
      • API Reference: CV
Powered by GitBook

Support

  • Chat Us On Slack
  • support@arize.com

Get Started

  • Signup For Free
  • Book A Demo

Copyright © 2025 Arize AI, Inc

On this page
  • Arize Guards
  • Dataset Embeddings Guard
  • RAG LLM Guard
  • Few Shot LLM Guard
  • General LLM Guard
  • Corrective Actions
  • View Traces in Arize UI
  • Monitoring
  • Resources

Was this helpful?

  1. Observe

Guardrails

Correct undesirable LLM outputs from reaching your customers

Last updated 14 days ago

Was this helpful?

Guardrails correct undesirable outputs at run-time, ensuring real-time safety and compliance. Failed messages trigger corrective actions such as default responses, retries, or blocking outputs entirely.

Arize Guards

Guardrails can be applied to either user input messages (e.g. jailbreak attempts) or LLM output messages (e.g. answer relevance). If a message in a LLM chat fails a Guard, then the Guard will take a corrective action, either providing a default response to the user or prompting the LLM to generate a new response.

We offer four types of Guards:

  • Dataset Embeddings Guard: Provided few shot examples of "bad" messages, Guard against similar inputs based on the cosine distance between embeddings.

  • General LLM Guard: Provide a prompt for an LLM Evaluator to classify the input as "pass" or "fail".

  • RAG LLM Guard: Similar to the General LLM Guard, but designed for the special case where the prompt includes additional context from a RAG application.

  • Few Shot LLM Guard: Provided few shot examples, an LLM Evaluator will classify the input as "pass" or "fail".

Users have the option to instantiate the Guards with off-the-shelf prompts / datasets from Arize, or customize the Guard with their own prompts / datasets. While our demo notebooks use Open AI models, any model provider can be used with a Guard.

Dataset Embeddings Guard

Arize offers an off-the-shelf ArizeDatasetEmbeddings Guard. Given any dataset of "bad" examples, this Guard will protect against similar messages in the LLM chat.

This Guard works in the following way:

  • The Guard computes embeddings for chunks associated with a set of few shot examples of "bad" user prompts or LLM messages (we recommend using 10 different prompts to balance performance and latency).

  • When the Guard is applied to a user or LLM message, the Guard computes the embedding for the input message and checks if any of the few shot "train" chunks in the dataset are close to the message in embedded space.

  • If the cosine distance between the input message and any of the chunks is within the user-specified threshold (default setting is 0.2), then the Guard intercepts the LLM call.

Benchmarking the Dataset Embeddings Guard on Jailbreak Prompts

  • True Positives: 86.43% of 656 jailbreak prompts failed the DatasetEmbeddings guard.

  • False Negatives: 13.57% of 656 jailbreak prompts passed the DatasetEmbeddings guard.

  • False Positives: 13.95% of 2000 regular prompts failed the DatasetEmbeddings guard.

  • True Negatives: 86.05% of 2000 regular prompts passed the DatasetEmbeddings guard.

  • 1.41 median latency for end-to-end LLM call on GPT-3.5.

Note that the "regular prompts" in the dataset consist of role play prompts that are designed to resemble jailbreak prompts.

RAG LLM Guard

Few Shot LLM Guard

(Coming soon) This is similar to the ArizeDatasetEmbeddings Guard, but instead of chunking and embedding the dataset to compute the cosine distance to input messages, we use the dataset as few shot examples for an LLM prompt. Provided the dataset, the LLM Guard uses the prompt to evaluate whether an incoming message is similar to the dataset.

General LLM Guard

Corrective Actions

We recommend two different types of corrective actions when input does not pass the Guard, which can be passed into the Guard upon instantiation:

  • default response: Instantiate the Guard with on_fail="fix" if you want the Guard to use a user-defined hard-coded default LLM response.

  • LLM reask: Instantiate the Guard with on_fail="reask" to re-prompt the LLM when the Guard fails. Note that this can introduce additional latency in your application.

Additional details in a tutorial (coming soon).

View Traces in Arize UI

In addition to real-time intervention, Arize offers tracing and visualization tools to investigate chats where the Guard was triggered.

Below we see the following information in the Arize UI for a Jailbreak attempt flagged by the DatasetEmbeddings Guard:

  • Each LLM call and guard step that took place under the hood.

  • The error message from the Guard when it flagged the Jailbreak attempt.

  • The validator_result: "fail"

  • The validator_on_fail: "exception"

  • The cosine_distance: 0.15, which is the cosine distance of the closest embedded prompt chunk in the set of few shot examples of jailbreak prompts.

  • The text corresponding to the most_similar_chunk.

  • The text corresponding to the input_message.

Monitoring

Resources

For additional support getting started with Guards, please refer to the following resources:

Refer to the and for details, which can be loaded into Colab.

By default, the ArizeDatasetEmbeddings Guard will use few shot examples from a of jailbreak prompts. We benchmarked the performance of our model on this dataset and recorded the following results:

By comparison, the associated with the dataset explains that jailbreak prompts have a 68.5% attack success rate (ASR) on the GPT-4 model.

Refer to for implementation details.

We offer , and RAG LLM Judges as off-the-shelf Arize Guards. After instantiating the Guard, simply pass in the user_message, retrieved context and llm_response to the at runtime and it will Guard against problematic messages. Each off-the-shelf Guard has been benchmarked on a public dataset (see ).

You can also customize this Guard with your own RAG LLM Judge prompt by inheriting from class.

Refer to the and for additional details.

(Coming soon) All off-the-shelf from Arize will be offered as Guards. Users can also instantiate the Guard with a custom prompt.

Refer to the for an example on how to integrate OTEL tracing with your Guard.

Users have the option to connect their guards to Arize . In the example below, we see a user create a monitor that sends an alert every time the Guard fails. These alerts can be connected to slack, PagerDuty, email, etc.

and with OTEL tracing

and with OTEL tracing

🔭
repo
Colab notebook
public dataset
arxiv paper
validator/benchmark_guard_on_dataset.py
Context Relevancy
QA Correctness
Hallucination
LlmRagEvaluator(Validator)
code
ArizeRagEvalPromptBase(ABC)
README
Colab Tutorial
LLM evaluators
Colab notebook
Production Monitoring
Arize Dataset Embeddings Guard
Colab T
utorial
LLM RAG Evaluator Guard
Colab Tutorial
Google Colab
Logo
Google Colab
Logo
Comparision of each Arize Guard.
View GUARDRAIL span where a jailbreak attempt was flagged by the ArizeDatasetEmbeddings Guard.
View attributes to debug why the Guard was triggered, e.g. the cosine distance between the most similar chunk and the embedded user message.
Add custom metric guard_fail to count the number of times that the Guard fails.
Set up Monitor to track custom guard_fail metric.