AI Red Teaming / Guardrails

Business objective

Two related jobs the CSV survey bundles together:

  • AI red-teaming — adversarial testing that finds an AI app’s weaknesses before attackers do: automated jailbreak/prompt-injection attempts, harmful-output probing, data-leakage tests, scanned against your model, prompts, and RAG setup. It is offensive QA for AI — the pentest you run pre-production and on a schedule.
  • Guardrails — the runtime filters that enforce the rules once you ship: input/output validators that block disallowed content, injection attempts, PII leakage, hallucinated or off-policy responses.

The pairing is natural: red-teaming discovers the failure modes; guardrails (and the ai-runtime-security firewall) block them. Many vendors sell both, and the “evaluation” half overlaps with llm-observability.

When you need it

Day-2 for most shops — you stand up the gateway, firewall, and observability first, then add systematic red-teaming and tuned guardrails as the app matters more. It moves earlier (toward Day-1) for higher-stakes deployments: anything customer-facing, anything touching MNPI or client data, or anything that must pass model-risk review. For a hedge-fund CTO, red-team reports are useful evidence for ai-governance-platform / SR 11-7 sign-off, and lightweight OSS guardrails (Guardrails AI, NeMo) can be adopted early at low cost.

Security role

Two modes. Red-teaming is detective and out-of-band — it doesn’t block in production; it reveals your app’s exposures before attackers find them (does untrusted input reach sensitive data? can output exfiltrate?). Guardrails are preventive and inline — they screen untrusted input (reject injection/jailbreak prompts) and filter leaky or unsafe output at runtime. Red-teaming spans all zones as a testing activity; guardrails sit at the same red/yellow boundary as the AI firewall.

Vendors

Red-teaming / adversarial testing-first

Guardrails / safety-filter-first

  • guardrails-ai — open-source guardrails framework (validators for I/O).
  • nemo-guardrails — NVIDIA’s open-source guardrails toolkit.
  • lakera — prompt-injection/guardrail detection with strong research (cross-listed in ai-runtime-security).
  • pangea — AI security guardrails / API-delivered controls (flagged acquired by CrowdStrike, per seed).

Eval-and-guardrail platforms (overlap with observability)

Consolidation / M&A dynamics

Heavily consolidating. Per seed flags (unverified — to confirm in research): Promptfoo flagged as acquired by OpenAI; Lakera flagged as acquired by Check Point; Galileo flagged as acquired by Cisco; Pangea flagged as acquired by CrowdStrike. The pattern mirrors ai-runtime-security: platform vendors (Cisco, Check Point, CrowdStrike) and model labs (OpenAI) are buying the red-team/guardrail specialists. The result is that several survey options now sit inside larger security suites or model-provider stacks.

Adjacent categories

  • ai-runtime-security — the production firewall that enforces what guardrails define and red-teaming uncovers; large overlap (HiddenLayer, Lakera, SplxAI, Enkrypt, TrojAI appear in both).
  • llm-observability — shares the “evaluation” surface; eval-platform vendors (Braintrust, Giskard, Patronus, Maxim, Galileo) span both.
  • ai-governance-platform — consumes red-team reports as model-risk evidence.
  • agent-runtime-security — red-teaming extends to multi-step agent behavior, not just single prompts.

Survey

Question: Which AI red-teaming and guardrail tools are you using or evaluating to test AI apps for vulnerabilities and to enforce input/output safety controls?

Answer options: Mindgard, SplxAI, Promptfoo, HiddenLayer, Lakera, Guardrails AI, NeMo Guardrails, Galileo, Patronus, Pangea, Maxim AI, Haize Labs, Enkrypt AI, TrojAI, Braintrust, Giskard, Other (Please Specify).

Response scale: multi-select; Interested; Considering/evaluating; Pilot/implementing; In production; Would recommend; Would not recommend.

Notes for survey design:

  • This category bundles two distinct jobs (offensive red-teaming vs runtime guardrails). Consider splitting into two questions — respondents using NeMo Guardrails (a filter) and Mindgard (a pentest tool) are doing different things.
  • Heavy cross-listing with ai-runtime-security (HiddenLayer, Lakera, SplxAI, Enkrypt, TrojAI) and llm-observability (Braintrust, Giskard, Patronus, Maxim) will cause double-placement; lead with a definition.
  • OSS options (Guardrails AI, NeMo, Promptfoo, Giskard) will skew toward “in production” via low-friction adoption; commercial red-team platforms skew “evaluating.”
  • M&A dates several options: if confirmed, Promptfoo→OpenAI, Lakera→Check Point, Galileo→Cisco, Pangea→CrowdStrike. Show recognizable names.

Open taxonomy questions

  • Should this split into ai-red-teaming (offensive testing) and ai-guardrails (runtime filters)? The seed CSV merged them but they serve different buyers and lifecycle stages.
  • Guardrails overlap so much with ai-runtime-security that the boundary is mostly “delivered as a framework/library” (here) vs “delivered as an inline firewall product” (there). Worth a stated rule.
  • This is a CSV-only cut folded out of llm-observability in the doc; confirm the split survives the final taxonomy pass.