Project 07: NeMo Guardrails Conversation Flow
Build a controlled dialogue flow that enforces safe responses using NeMo Guardrails and Colang.
Quick Reference
| Attribute | Value |
|---|---|
| Difficulty | Level 4 |
| Time Estimate | 2 weeks |
| Main Programming Language | Python |
| Alternative Programming Languages | N/A |
| Coolness Level | 4 |
| Business Potential | 4 |
| Prerequisites | Conversation design, moderation basics |
| Key Topics | Colang flows, safe responses, policy overrides |
1. Learning Objectives
By completing this project, you will:
- Define safe dialogue flows
- Implement Colang-based guardrails
- Add safety fallback responses
- Test flow coverage
2. All Theory Needed (Per-Concept Breakdown)
Guardrails Control Plane Fundamentals
Fundamentals A guardrails control plane is the set of policies, detectors, validators, and decision rules that sit around an LLM agent to ensure it behaves safely and predictably. Unlike traditional input validation, guardrails must handle probabilistic outputs, ambiguous intent, and adversarial prompts. The control plane therefore spans the entire lifecycle of an interaction: input filtering, context validation (including RAG sources), output moderation, and tool-use permissioning. Frameworks such as Guardrails AI and NeMo Guardrails provide structured validation and dialogue control, while models like Prompt Guard or Llama Guard provide detection signals that must be interpreted by policy. The core insight is that no single framework enforces safety end-to-end; you must compose multiple controls and define how they interact.
Deep Dive into the concept A control plane begins with policy: a formal definition of what is allowed and why. Governance frameworks like the NIST AI RMF and ISO/IEC 42001 provide the organizational structure for this policy layer, while OWASP LLM Top 10 provides a security taxonomy for risks. Policies must be translated into guardrail rules that are actionable: detect prompt injection in untrusted data, validate output schemas before tools execute, and block unsafe categories. This translation is non-trivial because LLM outputs are probabilistic and context-sensitive. A policy such as “never leak secrets” must be expressed as a chain of checks: input scanning for malicious prompts, context segmentation for untrusted data, output moderation to catch leakage, and tool gating to prevent exfiltration. Each check introduces uncertainty and cost, which means policy must include thresholds, confidence levels, and escalation paths.
Detectors such as Prompt Guard, Lakera Guard, or Rebuff provide risk scores and categories for injection attempts. These detectors are probabilistic and therefore require calibration. The control plane must normalize detector outputs into a shared risk scale, define what “block” vs “review” means, and log the decision context for later auditing. Output guardrails such as Llama Guard or OpenAI moderation detect unsafe content in generated responses. These checks must be aligned to your own taxonomy; the model’s categories may not map exactly to your policy. This is why evaluation and red-teaming are crucial: without testing, you do not know if your thresholds or taxonomy mappings are effective.
Structured output validation adds determinism to a probabilistic system. Guardrails AI uses validators and schema checks to ensure outputs conform to an expected structure, enabling safer tool calls and data extraction. NeMo Guardrails extends this by introducing Colang, a flow language that constrains dialogue paths and allows explicit safety steps, such as mandatory disclaimers or confirmation prompts. These frameworks provide building blocks, but they do not decide how to integrate them into a business context. For example, a schema validator can ensure a tool call is syntactically correct, but only policy can decide if that tool call should be allowed at all. This is why tool permissioning and sandboxing are critical complement pieces that most guardrails frameworks do not provide natively.
Evaluation is the evidence layer. Tools like garak and OpenAI Evals allow you to run red-team tests and custom evaluation suites to measure whether guardrails are actually working. Without these tests, guardrails may create a false sense of security. Monitoring and telemetry are the final layer: you must log guardrail decisions, measure false positives and negatives, and track drift over time. Guardrails AI supports observability integration via OpenTelemetry, which can feed monitoring dashboards for guardrail KPIs. The control plane is therefore a loop: policies drive controls, controls generate evidence, and evidence updates policies. This loop is the only sustainable way to manage guardrails in production.
How this fit on projects
- You will apply this control-plane model directly in §5.4 and §5.11 and validate it in §6.
Definitions & key terms
- Control plane: The policy-driven layer that decides what an agent may do.
- Detector: A model or rule that assigns risk categories or scores.
- Validator: A structured check that enforces schema or constraints.
- Tool gating: Permissions and constraints for tool execution.
- Evaluation suite: A set of tests that measure guardrails effectiveness.
Mental model diagram
Policy -> Detectors -> Validators -> Tool Gate -> Output
^ | | | |
| v v v v
Evidence <- Logs <- Thresholds <- Decisions <- Monitoring
How it works (step-by-step)
- Define policy risks and acceptable thresholds.
- Select detectors and validators aligned to those risks.
- Normalize detector outputs and enforce schema rules.
- Apply tool permissions based on risk and context.
- Log decisions and run evaluation suites continuously.
Minimal concrete example
Guardrail Decision Record
- input_source: retrieved_doc
- detector: prompt_injection
- score: 0.84
- policy_action: block
- tool_gate: deny
- audit_id: 2026-01-03-0001
Common misconceptions
- “A single framework solves guardrails end-to-end.”
- “Moderation is enough to prevent prompt injection.”
- “Validation guarantees correctness without policy.”
Check-your-understanding questions
- Why is a policy layer required in addition to detectors?
- How do validators reduce tool misuse risk?
- Why is evaluation necessary even if detectors exist?
Check-your-understanding answers
- Detectors provide signals, but policy decides actions and thresholds.
- Validators ensure structured, safe tool inputs before execution.
- Detectors can fail or drift; evaluation reveals blind spots.
Real-world applications
- Enterprise assistants with access to sensitive data
- RAG systems ingesting third-party documents
- Autonomous workflows with high-impact tools
Where you’ll apply it
- See §5.4 and §6 in this file.
- Also used in: P02-prompt-injection-firewall.md, P03-content-safety-gate.md, P08-policy-router-orchestrator.md.
References
- NIST AI RMF 1.0.
- ISO/IEC 42001:2023 AI Management Systems.
- OWASP LLM Top 10 v1.1.
- Guardrails AI framework.
- NeMo Guardrails and Colang.
- Prompt Guard model card.
- Llama Guard documentation.
- garak LLM scanner.
- OpenAI Evals.
Key insights Guardrails are a control plane, not a single model or API.
Summary A layered control plane combines policy, detection, validation, and evaluation into a continuous safety loop.
Homework/Exercises to practice the concept
- Draft a policy map with three risks and a detector for each.
- Define a monitoring dashboard with three guardrail KPIs.
Solutions to the homework/exercises
- Example risks: injection, data leakage, tool misuse; KPIs: block rate, false positives, tool denial rate.
3. Project Specification
3.1 What You Will Build
A controlled dialogue policy that routes unsafe queries to safe responses.
3.2 Functional Requirements
- Define Colang flows for allowed intents
- Add fallback responses for disallowed intents
- Integrate output moderation
- Log flow matches
3.3 Non-Functional Requirements
- Performance: Flow selection under 1 second
- Reliability: Consistent flow matching
- Usability: Predictable responses for users
3.4 Example Usage / Output
$ nemo-guardrails run --scenario finance
User: "Give me insider tips"
Response: "I can't help with that."
3.5 Data Formats / Schemas / Protocols
Flow definitions with intent names, responses, and guardrail steps
3.6 Edge Cases
- Unmatched intents
- Ambiguous user requests
- Multi-intent prompts
3.7 Real World Outcome
This section is the golden reference. You will compare your output against it.
3.7.1 How to Run (Copy/Paste)
- Load Colang files
- Run guardrails runtime
- Test with sample prompts
3.7.2 Golden Path Demo (Deterministic)
Run a fixed set of prompts and compare responses to expected outputs.
3.7.3 If CLI: Exact Terminal Transcript (Success)
$ nemo-guardrails run --scenario finance
Intent: disallowed
Response: safe_refusal
3.7.4 Failure Demo (Deterministic)
$ nemo-guardrails run --scenario finance
ERROR: no flow matched
Action: fallback
Exit codes: 0 on matched flow, 1 on fallback
4. Solution Architecture
The architecture is a flow controller plus moderation layer that constrains dialogue paths.
4.1 High-Level Design
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Input │────▶│ Policy │────▶│ Output │
│ Handler │ │ Engine │ │ Reporter │
└─────────────┘ └─────────────┘ └─────────────┘
4.2 Key Components
| Component | Responsibility | Key Decisions |
|---|---|---|
| Flow Engine | Matches intents to flows | Colang runtime |
| Safety Overrides | Enforces refusals | Policy rules |
| Logger | Records matched flows | Auditability |
4.4 Data Structures (No Full Code)
Flow record fields: intent, matched_flow, response_type, timestamp
4.4 Algorithm Overview
- Detect intent
- Match flow
- Apply safety overrides
- Emit response
5. Implementation Guide
5.1 Development Environment Setup
mkdir nemo-flow && cd nemo-flow
5.2 Project Structure
project/
├── colang/
├── policies/
├── logs/
└── tests/
5.3 The Core Question You’re Answering
“How do I control dialogue flows so the model never enters disallowed paths?”
Flow control ensures predictable, policy-compliant responses.
5.4 Concepts You Must Understand First
- Colang flow control
- Output moderation
5.5 Questions to Guide Your Design
- Intent coverage
- Which intents are allowed?
- What happens when none match?
- Safety overrides
- Which topics require refusal?
5.6 Thinking Exercise
Flow Diagram
Design a flow for financial advice with safe boundaries.
Questions to answer:
- Which intents are allowed?
- Where do you insert refusals?
5.7 The Interview Questions They’ll Ask
- “What is Colang and why use it?”
- “How do you handle unmatched intents?”
- “What are trade-offs of flow control?”
- “How do you test flow coverage?”
- “How do you combine flow control with moderation?”
5.8 Hints in Layers
Hint 1: Start with core intents List 5 common intents.
Hint 2: Add refusals Define explicit refusal flows.
Hint 3: Log unmatched intents Improve coverage.
Hint 4: Add moderation Layer safety checks.
5.9 Books That Will Help
| Topic | Book | Chapter |
|---|---|---|
| Colang | NeMo Guardrails docs | Core concepts |
5.10 Implementation Phases
Phase 1: Intent Design (2-3 days)
Goals: define intents. Tasks: intent list, examples. Checkpoint: intent catalog.
Phase 2: Flow Implementation (3-4 days)
Goals: build flows. Tasks: Colang files. Checkpoint: flow matches.
Phase 3: Safety Overrides (2-3 days)
Goals: add refusals. Tasks: fallback responses. Checkpoint: refusal triggers.
5.11 Key Implementation Decisions
| Decision | Options | Recommendation | Rationale |
|---|---|---|---|
| Flow strictness | strict vs flexible | strict for safety | predictability |
| Fallback | refuse vs safe alternative | safe alternative | UX |
6. Testing Strategy
6.1 Test Categories
| Category | Purpose | Examples |
|---|---|---|
| Unit Tests | Validate core logic | Input classification, schema checks |
| Integration Tests | Validate end-to-end flow | Full guardrail pipeline |
| Edge Case Tests | Validate unusual inputs | Long prompts, empty outputs |
6.2 Critical Test Cases
- Allowed intent: matches flow
- Disallowed intent: refusal
- Unknown intent: fallback
6.3 Test Data
Prompt set: 10 allowed, 10 disallowed, 5 unknown
7. Common Pitfalls & Debugging
7.1 Frequent Mistakes
| Pitfall | Symptom | Solution |
|---|---|---|
| Missing intents | Fallback overuse | Expand intent list |
| Overly strict flows | Low utility | Add alternative flows |
7.2 Debugging Strategies
- Inspect decision logs to see which rule triggered a block.
- Replay deterministic test cases to reproduce failures.
7.3 Performance Traps
Avoid heavy intent classification in the main loop without caching.
8. Extensions & Challenges
8.1 Beginner Extensions
- Add more intents
- Add logging dashboard
8.2 Intermediate Extensions
- Integrate with policy router
- Add multilingual flows
8.3 Advanced Extensions
- Dynamic flow updates
- Hybrid flow + tool gating
9. Real-World Connections
9.1 Industry Applications
- Financial chatbots: Enforces safe advice boundaries
- Healthcare assistants: Prevents unsafe medical advice
9.2 Related Open Source Projects
- NeMo Guardrails: Flow control framework
- Llama Guard: Content moderation model
9.3 Interview Relevance
- Dialogue policy: Flow design reasoning
- Safety overrides: Handling unsafe intents
10. Resources
10.1 Essential Reading
- NeMo Guardrails docs.
- Llama Guard documentation.
10.2 Video Resources
- NeMo Guardrails demos
- Dialogue policy talks
10.3 Tools & Documentation
- NeMo Guardrails docs.
- Llama Guard docs.
10.4 Related Projects in This Series
- Project 3: Content Safety Gate
- Project 8: Policy Router Orchestrator
11. Self-Assessment Checklist
11.1 Understanding
- I can explain the control plane layers without notes
- I can justify every policy threshold used
- I understand the main failure modes of this guardrail
11.2 Implementation
- All functional requirements are met
- All critical test cases pass
- Edge cases are handled
11.3 Growth
- I documented lessons learned
- I can explain this project in an interview
12. Submission / Completion Criteria
Minimum Viable Completion:
- Flows implemented
- Refusals defined
- Flow logs captured
Full Completion:
- All minimum criteria plus:
- Coverage tests pass
- Fallback rates measured
Excellence (Going Above & Beyond):
- Dynamic flow updates
- Multilingual flows