Open-Source Guardrails for Agentic AI: SingGuard-NSFA

▼ Summary
– SingGuard-NSFA is an open-source guardrail framework for agent workflows, with four models (0.8B to 9B parameters) built on Qwen3.5 backbones.
– Its NSFA risk taxonomy organizes 185 risk variants along the CIA triad, covering seven top-level domains for query and response threats.
– The framework offers two inference modes: a generative mode for chain-of-thought analysis and a real-time classification mode with 45–57ms latency.
– Benchmarks report F1 scores above 94% on multilingual test sets spanning 133 languages, with margins above competing guardrails.
– New risk categories can be added via small classification heads without retraining the backbone, and the system also improves Llama Guard 3’s F1 score by 17.6 points.
Open-source guardrails are becoming essential for securing agentic AI workflows, and the newly released SingGuard-NSFA framework offers a practical, scalable solution. Designed to counter operational threats in autonomous agent pipelines, the project delivers four model sizes built on Qwen3.5 base backbones: 0.8B, 2B, 4B, and 9B parameters.
The framework’s core is the NSFA risk taxonomy, which organizes threats around the classic CIA triad of confidentiality, integrity, and availability. It defines 185 distinct risk variants, grouped under top-level domains and mid-level categories, and cross-validated against three OWASP guidelines. On the query side, five domains cover prompt injection and jailbreaks, malicious code and cyberattack requests, sensitive information theft, dangerous operations and tool abuse, and resource abuse. Two additional domains address response-side risks: hazardous action generation and sensitive information leakage.
SingGuard-NSFA operates in two inference modes. The generative mode produces a chain-of-thought analysis rooted in the taxonomy, followed by a structured risk judgment suited for compliance auditing and human review. The real-time classification mode routes the last-token embedding from a single forward pass into lightweight per-domain heads that fire in parallel. With per-sample latency ranging from 45 to 57 milliseconds, this mode is fast enough to sit directly in the request path of production agents.
Benchmark results are strong. All four models report F1 scores above 94% on three multilingual test sets, outperforming competing guardrails by several points at each size. The evaluation spans 133 languages and includes a cross-source set adapted from public agent-security datasets such as AgentDojo, InjecAgent, and AgentHarm. Backbone training uses chain-of-thought supervised fine-tuning with explicit boundary tags wrapping external text, a design choice that prevents injected instructions from steering the analysis phase.
Extensibility is a key feature. Adding a new risk category does not require retraining the backbone. Teams can train a small classification head on the frozen model’s embeddings and plug it in. The pipeline maintains its real-time latency budget even with tens of thousands of heads. These same heads also work on other guardrails. When bolted onto Llama Guard 3, the most widely downloaded content-safety model, the combined system gained 17.6 F1 points on the multilingual query benchmark, with smaller single-digit improvements on response and cross-source tests. A content-safety head trained on the 9B SingGuard-NSFA backbone came within one F1 point of dedicated content-safety systems like WildGuard and GPT-5.1.
SingGuard-NSFA is available for free on GitHub.
(Source: Help Net Security)




