- 1RLHF / DPO / Constitutional AI preference training
- 2Pretraining data filtering and curation
- 3Runtime output guardrails (toxicity, redaction, structure)
- 4Audit logging and human escalation
- 5Runtime input guardrails (injection, PII, off-topic)
- 6Behavioural guardrails on tool calls (allowlist, confirmation)
- 7Supervised fine-tuning on safe demonstrations
The defence in depth stack runs from training-time data curation through SFT, RLHF, runtime input rails, output rails, behavioural rails on tools, and finally audit logging, innermost (weights) to outermost (logs).
Imagine the safety layers of a castle. The deepest layer is the recruitment process for guards, who you let into the castle in the first place. Then comes their training. Then their drills and code of conduct. Out at the gate sits the door guard who checks anyone coming in. Past the door, a second guard checks anything leaving the castle. Around any tool the guards use (keys, weapons), a quartermaster signs items in and out. Finally, a scribe records everything in a ledger. Each layer is independent. If a clever visitor talks past the door guard, the exit guard might still catch them. If both fail, the ledger lets a magistrate review what happened.
Detailed answer & concept explanation~5 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
6 minutes: the seven layers in order, why they have independent failure modes, where the trust gradient runs, and how compliance regimes consume the outer layers as evidence.
Real products, models, and research that use this idea.
- Anthropic Claude Opus 4.7 production deployments combine Constitutional AI alignment with AWS Bedrock Guardrails input/output rails and Bedrock Agents action-group allowlists, all logged to CloudWatch with S3 object-lock retention
- OpenAI GPT-5.5 deployments pair the model's RLHF refusals with OpenAI Moderation as input and output rails, plus tool-list allowlists in Assistants v2, plus customer-side audit logs
- Meta Llama 4 Maverick reference deployments stack Llama Guard 4 (output toxicity) with Llama Prompt Guard (input injection) and a developer-side tool allowlist
- AWS Bedrock Agents publishes a reference architecture combining Bedrock Guardrails (input/output), action groups (tool allowlist), and Lambda-side argument validation, with CloudTrail audit logging
What an interviewer would ask next. Try answering before peeking at the approach.
QIf you had to drop two layers from the seven for a constrained MVP, which two would you drop and why?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Skipping the runtime layers because the training-time alignment looks strong, or skipping the audit layer because the rails seem to work, defence in depth requires independent failure modes.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.