0% platform fee — first 1,000,000 customersClaim 0% fee
Guardrails

Every request. Protected by default.

Five guardrails fire on every Nemo Router request from day one. PII redaction, prompt-injection detection, secret scanning, abuse blocking, response scanning — sub-50ms overhead, free on every tier, configurable per org/team/key.

guardrails · live event

Pre-call scan trigger

Provider modelgemini-2.5-flash
PII detectedSSN, email
Actionredact
API-key scanclean
Injection score0.04
Pre-call latency38 ms
Verdictallow + redact
PresidioInjection v3Secret scanAbuseResponse scan
Guardrails on every plan
5

PII, injection, secrets, abuse, response

Pre-call overhead
< 50 ms

Runs in parallel with request prep

Plan tiers gating it
0

Active on every tier from day one

Configurable scopes
3

Org > Team > Key with override

The pipeline

Five gates, inline on every request — not a sidecar.

Every guardrail runs inline on the request path before it reaches a provider. No extra API call, no SDK changes, no sidecar to scale.

pre-call

Injection

Six attack classes blocked before the model is invoked — 403, no charge.

pre-call

PII redact

Presidio masks SSNs, emails, cards, phones, addresses before the prompt leaves.

pre-call

Secret scan

sk-*, AKIA*, PATs, JWTs, high-entropy strings — redacted or blocked.

pre-call

Abuse block

Harmful-content keywords with leet-speak + Unicode normalization.

post-call

Response scan

Output buffered, scanned, then delivered — leaked prompts and PII withheld.

The model sits between the pre-call gates and the response scan — blocked requests never reach it.

Scope hierarchy

Org > Team > Key with explicit override semantics

Lower scopes inherit higher-scope guardrails by default and can override them only if the parent permits. The same organization_id flows through every scope decision — no mapping table to drift.

Scope 01 — organization

5 guardrails inherited by every key

The security floor. Applies org-wide; resolution cached 30s, revoke is immediate.

Scope 02 — team

+ webhook (legal review)

Teams layer additional guardrails on top of the org set for their keys.

Scope 03 — key

skip injection — org permits

A research key can skip one inherited guardrail, but only if the org policy allows the override.

scope resolution · sk-nemo-...x4kf

Effective guardrail set

Org policy5 inherited
Team policy+ webhook (legal)
Key policyskip injection
Override allowed?yes (org permits)
Effective at request5 active
orgteam:legalkey:research-01
Full guardrail catalog — detectors, providers, billing semantics
PII redaction (Microsoft Presidio)
SSN, credit card, email, phone, address detectors plus custom recognizers for org-specific patterns. Replacement tokens preserved across the conversation; the model never sees the raw value.
Prompt-injection detection
Heuristic detection across six attack categories — instruction override, role switching, prompt extraction, delimiter injection, encoding tricks, DAN-style jailbreaks. Logged with attack class for SIEM ingestion.
Secret + API-key scanning
OpenAI sk-*, Anthropic sk-ant-*, AWS AKIA*, GitHub PATs, Slack tokens, JWT, Stripe keys, plus a generic high-entropy detector. Block-vs-redact mode configurable per scope.
Abuse + harmful-content blocking
Violence, weapons, drug synthesis, CSAM, and self-harm keywords with leet-speak normalization. Pre-call by default, post-call for response sweeps. Returns 403 guardrail_blocked with category breakdown.
Response scanning (streaming-aware)
Streamed output is buffered, scanned as a complete message, then forwarded. Blocked completions are withheld; the client sees a 403 mid-stream. Post-call blocks were billed for the LLM call.
Custom webhook guardrails
Send the prompt to any HTTPS endpoint, await a verdict, then allow / block / redact. Configurable timeout (default 500ms), fail-open or fail-closed, signed payloads. Layer on top of the built-ins.
Third-party providers
Microsoft Presidio, regex patterns, keyword filters, injection detection, and custom webhooks are live today. Azure Content Safety, Bedrock Guardrails, Lakera Guard, and Aporia are on the roadmap.
Billing on blocks
Pre-call blocks: no LLM call is made, the credit reservation is released, you pay nothing. Post-call blocks: the upstream call already happened, so provider cost applies — the output is withheld.
FAQ

Common guardrail questions

97+ models · 5 guardrails · 0 setup

Ship safer LLM features without writing safety code

Sign up, pick a tier, drop in your virtual key. Guardrails fire on the very first request — no flags to flip, no contracts to sign.