A Comparative Evaluation of AI Agent Security Guardrails

The deployment of AI agents — systems that perceive, reason, and take actions across tools, APIs, and physical interfaces — has outpaced the development of rigorous security evaluation for the guardrails meant to keep them safe. Most safety research focuses on the models themselves: their alignment training, jailbreak resistance, and refusal behavior. Far less attention has been paid to the guardrail infrastructure that sits around deployed agents in production — the filters, classifiers, and policy-enforcement layers that catch harmful requests before they reach or leave the model.

Li et al. address this gap directly with the first systematic comparative evaluation of commercial AI agent security guardrail products. Their study benchmarks four systems — DKnownAI Guard, AWS Bedrock Guardrails, Azure Content Safety, and Lakera Guard — across a broad set of threat categories specifically relevant to agentic deployments. The findings are sobering: performance varies dramatically across threat types, and the threat categories most specific to agentic contexts (as opposed to simple chatbot harm) are where the largest gaps appear.

Threat Categories and Evaluation Design

The evaluation covers seven attack and content categories: instruction override (the agent is instructed to ignore its system prompt or safety constraints), indirect prompt injection (malicious instructions are embedded in external content the agent retrieves and processes), tool abuse (the agent is manipulated into misusing its available tools — APIs, file systems, code execution), harmful content generation, hate speech, sexually explicit material, and violence.

The first three categories are distinctly agentic threats. A chatbot interacting with a human over a text interface faces a different attack surface than an AI agent that can browse the web, execute shell commands, search databases, and call enterprise APIs. Indirect prompt injection — where a malicious instruction is embedded in a webpage, document, or API response rather than typed by the user — is essentially a new class of threat that did not exist in meaningful form before agentic AI deployment became widespread. Tool abuse adds another dimension: even if the agent itself is not producing harmful text, it may be manipulated into taking harmful actions through its tool interfaces.

Key Findings

DKnownAI Guard achieves the highest recall rate and true negative rate across the evaluation, outperforming AWS Bedrock Guardrails, Azure Content Safety, and Lakera Guard on the aggregate benchmark. However, the aggregate picture conceals important variance. On indirect prompt injection and tool abuse — the most agentic-specific threat categories — all four systems show measurably weaker performance than on conventional content categories like hate speech and explicit material. This is unsurprising given that the latter categories have been the focus of guardrail development for years in the context of content moderation, while the former are newer and harder to specify with clean rule-based or classifier-based approaches.

The true negative rate results are particularly significant for production deployment. A guardrail with high recall but low true negative rate will generate excessive false positives, making the agent effectively unusable for legitimate tasks — a safety-utility tradeoff that teams deploying agentic systems navigate constantly. The evaluation provides the clearest quantitative picture to date of where that tradeoff currently sits for each major commercial offering.

Connections to Embodied AI Safety

While this evaluation focuses on software agents rather than physical robots, the threat categories map directly onto concerns in embodied AI safety.

Indirect injection as an embodied threat. An embodied agent — a home robot, a warehouse automation system, a surgical assistant — perceives its environment through sensors and processes that information to plan actions. If an adversary can embed instructions in that environment (text on a product label, a QR code, a strategically placed visual pattern), they can execute what is effectively an indirect prompt injection attack against the robot’s planning system. The VLA safety survey classifies this as a “semantic jailbreak” and notes it as an underexplored attack vector. This paper’s finding that commercial guardrails are weakest precisely on indirect injection should inform anyone building safety infrastructure for embodied systems.

Tool abuse and physical actuators. In an agentic software context, tool abuse means the agent is manipulated into calling an unintended API. In an embodied context, the equivalent is manipulating the robot’s action selection — causing it to grasp the wrong object, move to an unsafe location, or apply excessive force. The defense challenge is structurally similar: the guardrail must understand not just the content of a request but the intent and consequence of an action, which requires richer semantic modeling than simple pattern matching.

Evaluation gaps as a safety signal. The paper’s most important contribution may be methodological: demonstrating that safety evaluation of commercial guardrail systems requires a threat taxonomy specifically designed for agentic deployments, not borrowed from content moderation benchmarks. This parallels the criticism in the embodied AI literature that existing LLM safety benchmarks (AdvBench, HarmBench) fail to capture the physical consequence dimension of robot safety failures. Both fields are grappling with the same underlying problem: safety benchmarks that were designed for one deployment context do not automatically transfer to more complex, agentic ones.

Deployment-time defense. Unlike safety-aware training or certified robustness — which must be baked into the model before deployment — guardrail infrastructure is a deployment-time control that can be updated, swapped, or layered without retraining the underlying model. This makes it one of the most practical near-term safety levers available. Understanding which commercial guardrail products actually perform against real agentic threats is therefore directly actionable information for teams deploying AI systems in high-stakes environments.

Looking Ahead

The authors evaluate guardrails against a fixed threat taxonomy, but the agentic threat landscape is not static. Instruction override and indirect injection attacks are evolving rapidly, with new techniques emerging from the red-teaming community on a timescale of weeks. A guardrail that performs well on today’s benchmark may be bypassed by tomorrow’s attack variant. This dynamic mirrors the arms race in jailbreak research, where new attack methods consistently outpace defenses in the short term.

What this paper establishes — and what the field has lacked until now — is a baseline: a reproducible, multi-system comparative evaluation that future work can build on. As AI agents take on increasingly consequential tasks, from enterprise automation to physically embodied operation, the guardrail infrastructure around them deserves the same rigorous adversarial scrutiny that has been applied to the models themselves.

Read the full paper on arXiv · PDF