Every request. Protected by default.
Five guardrails fire on every Nemo Router request from day one. PII redaction, prompt-injection detection, secret scanning, abuse blocking, response scanning — sub-50ms overhead, free on every tier, configurable per org/team/key.
Pre-call scan trigger
- Guardrails on every plan
- 5
- Pre-call overhead
- < 50 ms
- Plan tiers gating it
- 0
- Configurable scopes
- 3
PII, injection, secrets, abuse, response
Runs in parallel with request prep
Active on every tier from day one
Org > Team > Key with override
Five gates, inline on every request — not a sidecar.
Every guardrail runs inline on the request path before it reaches a provider. No extra API call, no SDK changes, no sidecar to scale.
Injection
Six attack classes blocked before the model is invoked — 403, no charge.
PII redact
Presidio masks SSNs, emails, cards, phones, addresses before the prompt leaves.
Secret scan
sk-*, AKIA*, PATs, JWTs, high-entropy strings — redacted or blocked.
Abuse block
Harmful-content keywords with leet-speak + Unicode normalization.
Response scan
Output buffered, scanned, then delivered — leaked prompts and PII withheld.
The model sits between the pre-call gates and the response scan — blocked requests never reach it.
Org > Team > Key with explicit override semantics
Lower scopes inherit higher-scope guardrails by default and can override them only if the parent permits. The same organization_id flows through every scope decision — no mapping table to drift.
Scope 01 — organization
5 guardrails inherited by every key
The security floor. Applies org-wide; resolution cached 30s, revoke is immediate.
Scope 02 — team
+ webhook (legal review)
Teams layer additional guardrails on top of the org set for their keys.
Scope 03 — key
skip injection — org permits
A research key can skip one inherited guardrail, but only if the org policy allows the override.
Effective guardrail set
Full guardrail catalog — detectors, providers, billing semantics
- PII redaction (Microsoft Presidio)
- SSN, credit card, email, phone, address detectors plus custom recognizers for org-specific patterns. Replacement tokens preserved across the conversation; the model never sees the raw value.
- Prompt-injection detection
- Heuristic detection across six attack categories — instruction override, role switching, prompt extraction, delimiter injection, encoding tricks, DAN-style jailbreaks. Logged with attack class for SIEM ingestion.
- Secret + API-key scanning
- OpenAI sk-*, Anthropic sk-ant-*, AWS AKIA*, GitHub PATs, Slack tokens, JWT, Stripe keys, plus a generic high-entropy detector. Block-vs-redact mode configurable per scope.
- Abuse + harmful-content blocking
- Violence, weapons, drug synthesis, CSAM, and self-harm keywords with leet-speak normalization. Pre-call by default, post-call for response sweeps. Returns 403 guardrail_blocked with category breakdown.
- Response scanning (streaming-aware)
- Streamed output is buffered, scanned as a complete message, then forwarded. Blocked completions are withheld; the client sees a 403 mid-stream. Post-call blocks were billed for the LLM call.
- Custom webhook guardrails
- Send the prompt to any HTTPS endpoint, await a verdict, then allow / block / redact. Configurable timeout (default 500ms), fail-open or fail-closed, signed payloads. Layer on top of the built-ins.
- Third-party providers
- Microsoft Presidio, regex patterns, keyword filters, injection detection, and custom webhooks are live today. Azure Content Safety, Bedrock Guardrails, Lakera Guard, and Aporia are on the roadmap.
- Billing on blocks
- Pre-call blocks: no LLM call is made, the credit reservation is released, you pay nothing. Post-call blocks: the upstream call already happened, so provider cost applies — the output is withheld.
Common guardrail questions
97+ models · 5 guardrails · 0 setup
Ship safer LLM features without writing safety code
Sign up, pick a tier, drop in your virtual key. Guardrails fire on the very first request — no flags to flip, no contracts to sign.