Match each safety check to the rail it belongs on
Safety checks live on four rails, input (before the model), retrieval (when external content arrives), action (when a tool call is proposed), and output (before the response leaves), each rail handles the threats
Picture a kitchen with four doors: the pantry door for ingredients, the back door for deliveries, the stove door for cooking, and the dining-room door for plates going out. A safety inspector watches each one separately. The pantry door checks what the user brings in. The back door checks deliveries from outside. The stove door checks whether the cook is about to do something dangerous. The dining-room door checks whether the plate that is about to leave has anything on it that should not be served. Each problem belongs at the door closest to its cause, because that is where you have the right tools to deal with it.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
2 min: name the four rails, walk through one threat per rail, explain why the same topic can land on different rails depending on origin.
Real products, models, and research that use this idea.
- NVIDIA NeMo Guardrails encodes the four rail types as explicit Colang flow categories, input, output, retrieval, execution.
- AWS Bedrock Guardrails separates content policies (input/output) from sensitive information filters and topic policies, layered with model-side tool-use validation.
- Production teams running Claude Opus 4.7 or GPT-5.5 agents in 2026 typically wire four separate guardrail stages so the on-call can isolate which rail is breaking when an incident fires.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you instrument so that you can answer the question, which rail blocked the most requests this week?
QWhat is the right rail for a check that needs information from both input and output (e.g. consistency)?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Putting every check on the input rail because it is the obvious entry point; many threats (model echoing PII, malicious tool calls, injection in retrieved content) cannot be caught there at all.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.