Open-Source AI Guardrails for Agentic Systems: SingGuard-NSFA
SingGuard-NSFA is an open-source framework designed to mitigate operational risks within agent-based workflows.
Risk categorization framework
The NSFA risk taxonomy organizes threats according to the confidentiality, integrity, and availability principles of the CIA triad. It defines 185 distinct risk scenarios grouped under broader categories and subdomains, validated against three OWASP standards.
Five primary categories
Five primary categories address query-side vulnerabilities: prompt injection and evasion attempts, malicious code and cyberattack requests, data exfiltration risks, hazardous operations and tool misuse, and resource consumption abuses.
Two additional categories
Two additional categories focus on response-side threats, including unsafe action generation and disclosure of sensitive data.
Operational modes
SingGuard-NSFA operates in two distinct configurations. The generative mode employs a chain-of-thought analytical approach aligned with the taxonomy, producing structured risk assessments for compliance reviews and manual verification. The real-time classification mode processes the final token embedding from a single inference pass, distributing analysis across parallel domain-specific heads. This mode achieves per-sample processing times between 45 and 57 milliseconds, enabling integration into production agent pipelines without significant latency.
Performance metrics
Benchmarking results indicate F1 scores exceeding 94% across all four models on multilingual test datasets. These evaluations cover 133 languages and include cross-source validation against public agent-security datasets such as AgentDojo, InjecAgent, and AgentHarm. The training process utilizes chain-of-thought supervised fine-tuning with explicit boundary markers to isolate external text, preventing manipulated instructions from influencing analysis outcomes.
Customization capabilities
Adding new risk classifications does not necessitate retraining the core model. Teams can develop specialized classification heads using frozen model embeddings and integrate them seamlessly. The system maintains real-time performance even with tens of thousands of active heads, and these components remain compatible with alternative guardrail implementations.
Distribution and accessibility
The framework is freely available on GitHub, offering open-source access to its components. It is designed to complement existing security solutions, including Llama Guard 3, the most widely adopted agent security tool.
Technical details
The architecture emphasizes scalability and adaptability, with mechanisms to handle evolving threat landscapes. Its design prioritizes low-latency processing while maintaining high accuracy across diverse linguistic and operational contexts. The project’s documentation includes guidelines for deployment, customization, and integration with existing AI security infrastructures.
