SingGuard-NSFA: Open-source guardrails for agentic AI

SingGuard-NSFA: Open-source guardrails for agentic AI

SingGuard-NSFA is an open-source guardrail framework aimed at operational threats in agent workflows. Four models ship at 0.8B, 2B, 4B, and 9B parameters, all built on Qwen3.5 base backbones.

agentic AI guardrails

Risk taxonomy

The NSFA risk taxonomy organizes threats along the CIA triad of confidentiality, integrity, and availability. It defines 185 risk variants grouped under a smaller set of top-level domains and mid-level categories, cross-validated against three OWASP guidelines.

Five top-level domains cover query-side threats: prompt injection and jailbreaks, malicious code and cyberattack requests, sensitive information stealing, dangerous operations and tool abuse, and resource abuse. Two more cover response-side threats: hazardous action generation and sensitive information leakage.

Two inference modes

SingGuard-NSFA runs in two modes. A generative mode produces a chain-of-thought analysis grounded in the taxonomy, followed by a structured risk judgment intended for compliance auditing and human review. A real-time classification mode routes the last-token embedding from a single forward pass into lightweight per-domain heads that fire in parallel. Per-sample latency in classification mode runs from 45 to 57 milliseconds, low enough to sit in the request path of production agents.

Reported performance

The project’s benchmarks report F1 scores above 94% for all four models on three multilingual test sets, with margins of several points above competing guardrails at each size.

The benchmarks span 133 languages and include a cross-source evaluation set adapted from public agent-security datasets including AgentDojo, InjecAgent, and AgentHarm. Backbone training uses chain-of-thought supervised fine-tuning with explicit boundary tags wrapping external text, a step meant to keep injected instructions from steering the analysis phase.

Extensibility

Adding a new risk category doesn’t require retraining the backbone. Teams train a small classification head on the frozen model’s embeddings and plug it in. The pipeline stayed within its real-time latency budget even at tens of thousands of heads.

The same heads work on other guardrails. Bolted onto Llama Guard 3, the most widely downloaded content-safety model, the combined system picked up 17.6 F1 points on the multilingual query benchmark, with smaller single-digit gains on the response and cross-source tests. A content-safety head trained on the 9B SingGuard-NSFA backbone came within one F1 point of dedicated content-safety systems the developers tested against, among them WildGuard and GPT-5.1.

SingGuard-NSFA is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

Leave a Reply