Minimal. Guardrails run concurrently with response generation and typically complete before the full response is ready to deliver. In most cases, users notice no delay at all.

Pre-built Guardrails are currently off by default, so there’s no impact to existing agents when you upgrade. We recommend enabling them (especially Focus) for any production deployment. Soon, Guardrails will be on by default for new agents. You can toggle any individual Guardrail on or off at any time from your agent’s Security tab.

Pre-built Guardrails (Focus, Content, Manipulation) are included at no additional cost. Custom Guardrails are usage-based and costs are passed through like other LLM costs. You can also choose which model evaluates your rules.

Your system prompt guides your agent’s behavior by telling it what to do and how to respond. A Custom Guardrail independently evaluates every agent response against your rule after the model generates it, and blocks violations before they reach the user. Think of your system prompt as instructions and Guardrails as enforcement.

For your most critical policies, we recommend using both: the system prompt and Focus Guardrail shape behavior, and the Custom Guardrail catches anything that slips through, especially in long conversations where models are more likely to drift.

It depends on the Guardrail type and how you’ve configured it. For Custom Guardrails, you choose the exit strategy: end the conversation, transfer to another agent, or escalate to a human. For pre-built Guardrails (Focus, Content, Manipulation), the conversation currently terminates when triggered. Configurable exit strategies for these are coming soon. In all cases, users can start a new conversation immediately. The Guardrail blocks a specific response, not the user.

Every trigger is logged in your conversation analytics. You’ll see which Guardrail fired, why, and the conversation context. Use this to review false positives and refine your rules over time.

Yes. Guardrails are purpose-built for high-stakes deployments. Custom Guardrails let you define domain-specific policies in natural language, such as “do not provide medical diagnoses” or “do not recommend specific investments.” These rules are enforced independently across every conversation, helping reduce compliance exposure without requiring custom infrastructure.

Guardrails 2.0 also supports AIUC-1 compliance alignment and access to the industry’s first AI insurance policies, making it easier to get security and legal teams more comfortable with production deployments. While Guardrails significantly reduce risk, they work best as part of a broader compliance strategy rather than a standalone solution.

By default, conversation logs include transcript and audio data to support analytics, QA, and agent improvement. If you need to limit data exposure, Conversation History Redaction automatically removes selected sensitive information (such as names, payment card numbers, or other PII) from transcripts, recordings, and webhook payloads before they’re stored. Text is replaced with typed placeholders and audio is bleeped. You control exactly which entity types get redacted. Conversation History Redaction is available to enterprise clients.

Yes, and this is the recommended setup. System prompt hardening guides the agent toward the right responses. Guardrails independently enforce your rules as a safety net, so even if the model drifts in a long conversation, violations are caught before delivery. Together they create defense in depth.

Yes. Each Guardrail can be toggled on or off individually. For most production deployments, we recommend keeping all Guardrails enabled (especially Focus). In some cases, a specific Guardrail may conflict with your agent’s intended use case. When in doubt, test before disabling.