Guide on Performance and Security for Advanced Production RAG: Part 8 – Guardrail Implementation

Guardrails are key, but the diversity and complexity of input formats makes it challenging to put them in place, especially for multimodal systems.

RAG systems, which have shown great promise in development environments, can be particularly challenging to deploy in production environments. One major hurdle is ensuring access and security. In production, RAG systems must handle a large volume of user requests while maintaining the security and integrity of the data. This requires robust access controls, encryption, and monitoring, which can be difficult to implement and maintain. In contrast, development environments often have more relaxed security settings, making it easier to test and iterate on RAG systems without the added complexity of security protocols.

“The case for production-grade RAG systems in enterprises warrant much deeper scrutiny over system design, given performance, cost and security considerations.”

In this 9 part series, we discuss various system design considerations that directly impact RAG system performance, cost and security which serves as a guide for CTOs, CISOs and AI Engineers.

Download the complete guide on Advanced RAG for Enterprises

Guardrail implementation with consideration for different modalities of inputs and outputs

Guardrails for GenAI agents and RAG systems have recently garnered attention as organizations become more aware of the new vectors of risks associated with GenAI systems. Text inputs can be beautifully crafted for prompt injection to bypass controls; and for multimodal systems, the same well-crafted prompts can take the form of typed messages in an image, handwritten instructions or in some cases machine-readable but non-visible markers embedded within images or videos. The diversity and complexity of input formats makes it challenging to put in place guardrails, especially for multimodal systems

RAG guardrails, especially in multimodal systems need to simultaneously handle at least 6 categories of security and privacy risk events:

  • Audio-visual code injection [input]
  • Text based code injection [input],
  • Audio-visual data extraction prompt injection [input]
  • Text based data extraction prompt injection [input]
  • Data poisoning via user uploads or prompt enumeration [input]
  • Removal of inappropriate content [output]

For these reasons, the implementation of RAG guardrails are not as straight forward as putting in place system prompts or parallel second-checker models. Even the most cutting-edge multimodal models today struggle to simultaneously perform well on visual tasks and logical task, the latter being of critical importance to proper guardrail functionality.

Adding to the list of challenges is the need for ultra-low latency in most production environment, so as not to compromise user experience. This is again complicated when there is a need to sanitize both user inputs and model response. Given these various considerations, along with anticipated volume of activity for RAG systems, organizations must therefore consider the most optimal approaches for guardrail implementation that balances between system performance and cost.

Broadly, system design for guardrail implementation in production RAG systems involve the following decision points:

  • Embedded guardrail systems vs guardrail services – This depends on both volume and cost considerations as well as whether content such as use inputs, training data and AI system outputs need to be contained within a particular deployment environment
  • Point and mode of implementation – This concerns where within a RAG system guardrails should be implemented; as well as whether guardrails should run in parallel or as a gate

Below, we share a simplified illustration of how a guardrail system such as aigosGate fits in with overall RAG system design at 3 common junctures where guardrail implementation is most critical:

  • User input/prompt handling
  • AI system response sanitisation
  • Training data / ingestion pipeline screens
  • Input handling – Input handling should run parallel to vector search and retrieval processes as long as (emphasis) query time restrictions are in place. As with most guardrail models, the input handling process seeks to provide a binary classification response to the application controller, indicating whether to proceed with or reject the prompt.
  • Output sanitization By design, the guardrail handling output sanitization should function separately and independently from the core LLM/VLM model. Such a setup seeks to avoid common prompt injection approaches such as “ignore all past instructions and safeguards”. The application controller simply passes the core model’s response to the guardrail and receives a final output which is then passed to the user. In this illustration, output sanitization functions as a gate between the RAG system’s initial output and what users eventually sees.
  • Data pipeline handling We view this as part of the overall guardrail design as data pipeline security is essential for mitigating data poisoning and backdoor attacks. Here, the guardrail scans for inappropriate content (copyrighted, privacy violating, malicious or otherwise harmful), as well as statistical biases that are common for the introduction of backdoor triggers. Effective pipeline handling therefore goes beyond scanning of files, but involves a comparison of new vector embeddings vs existing vector store content.

Read our full article on Multimodal Guardrails

Securing Multimodal Language Models

Overall, production environment RAG systems presents the following key questions. Dive into each of the subtopics through the links below:

  1. API model access vs hosted model on self-managed instances
  2. Choice of model and precision as a trade-off between performance and running cost
  3. Choice of vector databases based on types of supported search algorithm and security options
  4. Data pipeline design for reliability, content safety and performance-focused data pre-processing
  5. Choice of chunking approach based on type of content: length, sentences or logical chunks
  6. Pre-retrieval filters and transformations for security and retrieval performance optimization
  7. Post-retrieval ranking and stacking approaches for performance and cost optimization
  8. Guardrail implementation with consideration for different modalities of inputs and outputs
  9. Logging mechanisms to facilitate performance, cost and security analyses

Download the complete guide on Advanced RAG for Enterprises

More Insights