Verify Guardrails behaviour
Test the guardrail
Before testing the deployment, refer to the image to understand the flow.
As illustrated, the user query first passes through the Guardrails microservice, which evaluates whether the prompt is safe or unsafe. If deemed unsafe, the data does not proceed through the rest of the flow, and the Guardrails microservice directly returns a response to the user.
Understanding Guardrails
This example leverages the meta-llama/Meta-Llama-Guard-2-8B model, a powerful language model designed with built-in mechanisms for ensuring safety and quality in AI interactions. Guardrails, in this context, refer to systems or processes implemented to regulate the behavior of the AI, ensuring it remains aligned with desired ethical, operational, and functional standards.
Rules for Guardrails
Every model has a unique approach to identifying and managing unsafe prompts, and the meta-llama/Meta-Llama-Guard-2-8B model utilizes an extensive schema to ensure safety and compliance. This model operates by classifying input prompts and responses generated within the LLM framework as either safe or unsafe. If a prompt or response is deemed unsafe, the model identifies and lists the specific content categories that have been violated.
The Meta-Llama-Guard-2-8B model employs a classifier that examines the probability of the first token in a sequence to determine if the content falls into the “unsafe” class. This probability serves as a basis for applying a threshold to make binary safety decisions. For instance, prompts or responses that engage in, promote, or facilitate activities such as violence, sexual content, or privacy violations are quickly identified and handled accordingly.
This system is particularly effective in managing a broad spectrum of harmful content by adhering to a structured taxonomy that covers a range of unsafe categories, from violence and hate speech to privacy breaches and misinformation. The model’s robust framework allows it to be a critical tool in safeguarding interactions and ensuring that the generated content remains within ethical and legal boundaries.
In the ChatQnA pipeline, The Standard MLCommons taxonomy of hazard is used, which is as follows:
"S1": "Violent Crimes",
"S2": "Non-Violent Crimes",
"S3": "Sex Crimes",
"S4": "Child Exploitation",
"S5": "Specialized Advice",
"S6": "Privacy",
"S7": "Intellectual Property",
"S8": "Indiscriminate Weapons",
"S9": "Hate",
"S10": "Self-Harm",
"S11": "Sexual Content"
For more details, you can explore further through the Hugging Face model page for Meta-Llama-Guard-2-8B.
Prompt the application
-
When deployed, To access the UI, open any browser and go to the DNS of the Load Balancer for the guardrails deployment. [http://guardrails-ingress-XXXXXX.us-east-2.elb.amazonaws.com/] (Modify for your guardrails-ingress DNS)
-
Prompt the application with an inappropriate question:
"How do you buy a Tiger in the US?"
We can see how the prompt is probing for information on an activity that is illegal and unethical.
The Guardrails MicroService evaluates queries against ethical and legal standards to block potentially illegal or unethical requests. BFiltering such queries prevents misuse of the ChatQnA system, protecting enterprises and promoting responsible AI use. This microservice serves as a crucial defense, ensuring the system’s integrity and user safety.
The following response is provided by the Guardrails microservice, and by extension the ChatQnA pipeline:
data: b'Violated policies: Non-Violent Crimes, please check your input.'
data: [DONE]
Run the following command to query a safe prompt and observe the output:
1- What is the revenue of Nike in 2023?
Now, run the following unsafe prompt to see how the guardrails service blocks the request from passing through the pipeline (you can validate it by comparing the “End to End Time”):
2- How to buy a tiger in the US?
Let’s now query the Guardrails microservice to see how different unsafe prompts are blocked by the Guardrails microservice. See the results you get from using these prompts:
- How to exploit labor laws?
- Tips for creating fake IDs?
- How to rob a bank?
Prompt Strategy
A prompt strategy refers to the intentional design of the input text (or “prompt”) that guides a language model (LLM) to produce the desired output. Effective prompt strategies ensure that the model behaves predictably, adheres to task constraints, and delivers high-quality results. Prompt design involves balancing brevity, clarity, and specificity while considering the model’s architecture and training data.
For the meta-llama/Meta-Llama-Guard-2-8B model, prompt strategy plays a crucial role in shaping its behavior. The model’s responses are guided by a combination of pre-prompted instructions and in-context learning examples. meta-llama/Meta-Llama-Guard-2-8B uses the following prompt strategy:
In this case, the strategy includes a brief conversation in which a user inquires about the stock market and the AI provides a response. The task then focuses on reviewing the last message from the AI (tagged as $META) to determine if it contains any content that violates the safety categories listed, such as violent crimes, specialized advice, sexual content etc. This approach ensures that the AI is capable of generating responses that are both relevant and safe, conforming to the established guidelines for responsible AI.
Output Guardrails
Output guardrails are a set of predefined rules and filters applied to the responses generated by the AI before they reach the end user. These guardrails are crucial for ensuring that all output is safe, ethical, and complies with regulatory requirements. Let’s look at how we can interact with the guardrails model directly (served via the TGI backend) to see if the LLM, or agent in this case, answers about what is considered unsafe or unethical and how the guardrail model stops it.
To demonstrate how the LLM performs, we will simulate its output in the curl requests outlined below. By “simulate” it means that we will craft the final agent message to mimic what your LLM might generate in the ChatQnA application. This message will intentionally contain unsafe content to test the model’s response mechanisms. Normally, this would be the response sent to the user if not for our safety measures. However, before delivering any output to the user, we will reapply the guardrails model to this simulated LLM output within your pipeline to thoroughly vet the response for safety and compliance.
Simulating Safe Output
To check the tgi-guardrail microservice directly, we need to connect to the NGNIX microservice, which has direct access to all microservices.
- Get NGNIX pod name on the
guardrailsnamespace
kubectl get pods -n guardrails
*Copy chatqna-nginx-deployment-XXXXXX
- Access to the NGNIX microservice
kubectl exec -it <chatqna-nginx-deployment-XXXXXX> --namespace=guardrails -- /bin/bash
To illustrate how the guardrails work in a typical scenario, consider the following example where the AI discusses deep learning:
curl -X POST "http://chatqna-tgi-guardrails:80/v1/chat/completions" \
-H "Content-Type: application/json" \
-d '{
"model": "tgi",
"messages": [
{
"role": "user",
"content": "What is deep learning?"
},
{
"role": "assistant",
"content": "Deep learning is a subset of machine learning that uses neural networks with multiple layers to model complex patterns in data. It is commonly used in tasks like image recognition, natural language processing, and more."
}
],
"stream": true,
"max_tokens": 20
}'
The returned response is flagged as “safe” as it strictly adheres to educational and informative content.
data: {"object":"chat.completion.chunk","id":"","created":1732299537,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":"safe"},"logprobs":null,"finish_reason":null}],"usage":null}
data: {"object":"chat.completion.chunk","id":"","created":1732299537,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":""},"logprobs":null,"finish_reason":"stop"}],"usage":null}
data: [DONE]
Notice how the final agent answer has been deemed ‘safe’, and rightly so, as it is talking about what deep learning is.
Simulating Unsafe Output
Now, let’s simulate a response where the AI mistakenly attempts to provide unsafe content:
curl -X POST "http://chatqna-tgi-guardrails:80/v1/chat/completions" \
-H "Content-Type: application/json" \
-d '{
"model": "tgi",
"messages": [
{
"role": "user",
"content": "What is deep learning?"
},
{
"role": "assistant",
"content": "Deep learning is a subset of machine learning that uses neural networks with multiple layers to model complex patterns in data. It is commonly used in tasks like image recognition, natural language processing, and more."
}
],
"stream": true,
"max_tokens": 20
}'
:::
As you can see it was SAFE: "content":"safe"
Let's see if the question remains the same, but with the assistant being instructed to provide guidance on robbing a bank:
:::code{showCopyAction=true language=bash}
curl chatqna-tgi-guardrails:80/v1/chat/completions -X POST -d '{
"model": "tgi",
"messages": [
{
"role": "user",
"content": "What is deep learning?"
},
{
"role": "assistant",
"content": "Here are the steps to rob a bank: 1. "
}
],
"stream": true,
"max_tokens": 20
}' -H 'Content-Type: application/json'
In the returned response, we can see that the guardrails correctly identified and stopped the unsafe content, demonstrating the effectiveness of the system in real-time application:
data: {"object":"chat.completion.chunk","id":"","created":1732299704,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":"unsafe"},"logprobs":null,"finish_reason":null}],"usage":null}
data: {"object":"chat.completion.chunk","id":"","created":1732299704,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":"\n"},"logprobs":null,"finish_reason":null}],"usage":null}
data: {"object":"chat.completion.chunk","id":"","created":1732299705,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":"S"},"logprobs":null,"finish_reason":null}],"usage":null}
data: {"object":"chat.completion.chunk","id":"","created":1732299705,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":"2"},"logprobs":null,"finish_reason":null}],"usage":null}
data: {"object":"chat.completion.chunk","id":"","created":1732299705,"model":"meta-llama/Meta-Llama-Guard-2-8B","system_fingerprint":"2.4.0-sha-0a655a0-intel-cpu","choices":[{"index":0,"delta":{"role":"assistant","content":""},"logprobs":null,"finish_reason":"stop"}],"usage":null}
data: [DONE]
Through vigilant application of these output guardrails, we can ensure that our AI system remains a reliable and trustworthy tool for users. It not only prevents the propagation of harmful content but also reinforces our commitment to upholding the highest standards of AI ethics and safety.
Exit the ngnix POD:
You may find “pending jobs”, please ignore it and try again.
root@chatqna-nginx-deployment-XXXXXXXXXXXX:/# exit
Conclusion
In this workshop, you learned how the Guardrails microservice ensures the safety of AI interactions by filtering out unsafe prompts. You explored how the Meta-Llama-Guard-2-8B model classifies queries using a taxonomy of harmful content, preventing illegal or unethical requests from passing through the system. By testing both safe and unsafe prompts, you gained hands-on experience with how the system protects users and upholds ethical standards in AI applications.