Guardrail types
The five kinds of guardrail — pattern, PII, topic, custom-rule, and full PII — and how to choose the right one for each job.
Guardrails come in a few types, each suited to a different kind of risk. Some are fast and exact; others use AI to make a judgment call. This page covers all five, so you can pick the right tool for what you're trying to protect against.
Pattern — exact text matching
A pattern guardrail matches specific text — a phone format, a forbidden word, a code shape — and blocks it. It's fast and literal: if the text matches, it's stopped, and the customer sees the reason you set.
Reach for it when you have a precise, known string to catch — a competitor's name, a discount code you don't want quoted, a format you want to refuse.
PII — protecting sensitive data
A PII guardrail finds personally identifiable information — emails, phone numbers, card numbers, ID numbers and the like — and either masks it or blocks the message. This is the workhorse of compliance, and the one we recommend on every assistant.
It's fast and pattern-based, covering the structured kinds of sensitive data. For the deep dive on exactly what it detects and how masking works, see PII & compliance.
Reach for it when you want to keep card numbers, IDs, and contact details out of your logs and replies — which is to say, almost always.
Custom rule (LLM) — your business logic
A custom-rule guardrail uses AI to judge a message against instructions you write in plain language — "block any message that discusses our competitors by name" or "don't let the agent give legal advice." Instead of an exact pattern, you describe the spirit of the rule and the AI applies it.
On the way out, a custom rule can also rewrite a reply that strayed, nudging it back in line rather than just blocking it.
Reach for it when the rule is about meaning, not exact words — the nuanced "you know it when you see it" boundaries that a simple pattern can't capture.
Topic — staying on subject
A topic guardrail keeps conversations within the subjects you allow. You list what's on-topic — billing, orders, product questions, returns — and it gently blocks messages that wander clearly outside them, while erring toward letting borderline cases through (better to allow a gray-area question than to wrongly refuse a real one).
Reach for it when you want the agent focused on its job and not drawn into debates, off-topic chitchat, or questions outside its remit.
Full PII — names, places, and more
A full PII guardrail extends the standard PII protection with AI-powered detection of the fuzzier kinds of sensitive information — person names, locations, dates that identify someone, and similar details that don't follow a fixed pattern. Where the standard PII guardrail catches structured data instantly, this one adds judgment for the things only context reveals.
Reach for it when you need the strictest privacy posture — masking not just card numbers and emails, but names and addresses too.
Choosing at a glance
| You want to… | Use |
|---|---|
| Block an exact word, code, or format | Pattern |
| Mask cards, emails, IDs, phone numbers | PII |
| Enforce a nuanced business rule | Custom rule |
| Keep the agent on allowed subjects | Topic |
| Mask names and locations too | Full PII |
Combining guardrails
You're not limited to one. A typical assistant stacks a few — say, a PII guardrail to protect data, a topic guardrail to stay focused, and a custom rule for a specific business boundary — running in the order you choose. A small, well-chosen stack covers most needs without over-restricting the agent.
To keep things fast and predictable, an assistant runs a focused set of guardrails per direction rather than an unlimited pile. In practice that's plenty — a couple of well-aimed guardrails on input and output covers the vast majority of real needs. Pick the ones that matter most for your business.
→ Next, the privacy deep dive: PII & compliance