What are AI agent guardrails?

AI agent guardrails are security controls that constrain what AI agents can do, what inputs they can accept, and what outputs they can return. D2's guardrails provide input validation, output sanitization, and output validation to prevent AI agents from performing unauthorized or dangerous actions. Our guardrails are the most comprehensive in the industry, offering declarative configuration and unified operators for maximum flexibility.

Why do I need authorization for AI agents?

AI agents are autonomous systems that can call functions, access APIs, and interact with databases. Without proper authorization, an AI agent could be exploited to access sensitive data, perform privileged operations, or chain multiple actions together in dangerous ways. D2 provides function-level authorization specifically designed for agentic AI, including RBAC, guardrails, and sequence enforcement to prevent these security risks.

How is D2 different from traditional authorization systems?

Traditional authorization systems focus on endpoint-level security, but AI agents operate at the function level. D2 provides function-level authorization that protects individual tool calls, not just API endpoints. We also offer guardrails (input/output validation) and sequence enforcement (preventing dangerous tool call chains) that are critical for agentic AI security but absent in traditional systems. This makes D2 the best authorization tool for AI agents and LLM-powered applications.

What is sequence enforcement for AI agents?

Sequence enforcement prevents AI agents from chaining multiple function calls together in dangerous ways. For example, an attacker might try to make an AI agent first query sensitive data, then exfiltrate it via email. D2's sequence enforcement tracks the order of function calls and blocks unauthorized sequences, providing defense-in-depth for agentic AI systems.

How fast can I deploy D2 AI agent guardrails?

D2 is designed for rapid deployment. You can add AI agent guardrails and authorization to your application in under 5 minutes: install the SDK, add the @d2_guard decorator to your functions, generate a policy template with our CLI, and configure RBAC. No additional infrastructure or complex setup required.

Does D2 work with LangChain, LlamaIndex, and other AI frameworks?

Yes! D2 is framework-agnostic and works with any Python framework or LLM library. Whether you're using LangChain, LlamaIndex, AutoGPT, or building custom AI agents, D2's decorator-based approach integrates seamlessly. Simply add the @d2_guard decorator to any function your AI agent will call, regardless of the underlying framework.

What is the difference between deterministic and nondeterministic guardrails?

Deterministic guardrails use explicit rules (RBAC, schema validation) and always produce the same decision for the same input. Nondeterministic guardrails use AI/LLM judgment (content moderation, intent classification) and may produce variable results. For authorization and access control, deterministic guardrails are essential for security and compliance.

Why do AI agents need deterministic guardrails?

AI agents operate at the function level, not the API endpoint level. Traditional authorization systems cannot secure individual function calls. Deterministic guardrails provide function-level authorization with predictable, auditable decisions—critical for security, compliance, and preventing attacks like data exfiltration.

How does D2 implement deterministic guardrails?

D2 implements deterministic guardrails through three mechanisms: 1) Function-level RBAC controlling who can call which functions, 2) Input/output guardrails for validation and sanitization, and 3) Sequence enforcement to prevent multi-step attacks. All are defined in declarative policies and enforced at runtime with minimal overhead.

Deterministic Guardrails for AI Agents

Deterministic guardrails are rule-based security controls that provide predictable, verifiable authorization for AI agents. Unlike nondeterministic approaches that rely on LLM judgment, deterministic guardrails use explicit logic - RBAC, input validation, sequence enforcement - to control what AI agents can and cannot do.

What Are Deterministic Guardrails?

Deterministic guardrails are security controls that enforce authorization decisions through explicit, repeatable rules. When an AI agent attempts an action, deterministic guardrails evaluate the request against predefined policies and make a binary decision: allow or deny.

The "deterministic" property means that given the same inputs (user context, function call, parameters), the guardrail will always produce the same decision. There's no ambiguity, no probabilistic reasoning - just pure logic.

Deterministic

Predictable, repeatable decisions

Rule-based authorization (RBAC)

Input validation against schemas

Sequence enforcement patterns

Auditable and explainable

Nondeterministic

Probabilistic, variable decisions

LLM-based judgment calls

Content moderation via AI

Intent classification

Harder to audit and explain

Why Deterministic Guardrails Are Critical for Agentic AI

Agentic AI systems - where AI makes autonomous decisions and executes functions - face a fundamental authorization problem: how do you ensure an AI agent only does what it's allowed to do?

Predictability

In production systems, you need guaranteed behavior. Deterministic guardrails ensure the same input always produces the same authorization decision.

Security

Authorization is too critical to delegate to probabilistic systems. Deterministic guardrails provide cryptographic-level certainty about what AI agents can access.

Auditability

Compliance and security teams need explainable decisions. Deterministic guardrails provide clear audit trails.

The AuthZ Problem in Agentic AI

Traditional authorization systems operate at the API endpoint level. But agentic AI doesn't call endpoints - it calls individual functions based on natural language instructions.

This creates a massive security gap: even if your API is locked down, an AI agent with access to powerful functions can bypass all controls through prompt injection, data exfiltration, or multi-step attacks.

Deterministic guardrails solve this by moving authorization to the function level, where AI agents actually operate.

Three Types of Deterministic Guardrails

D2 implements deterministic guardrails through three complementary mechanisms:

1. Function-Level RBAC

Role-Based Access Control defines who can call which functions. Each function is protected by a declarative policy that maps roles to permissions.

policy.yaml

# Weather API policy
tools:
  weather_api:
    allowed_roles:
      - developer
      - admin
    denied_roles:
      - guest

Result: Developers and admins can call get_weather(), guests cannot. The decision is deterministic and instant.

2. Input & Output Guardrails

Input guardrails validate function arguments before execution. Output guardrails sanitize or validate return values after execution.

policy.yaml

tools:
  database_query:
    guardrails:
  input:
    - type: schema_validation
      field: query
      schema:
        type: string
        max_length: 1000
            pattern: "^SELECT.*FROM users.*$"

Result: Any query exceeding 1000 characters or not matching the pattern is automatically denied before reaching the database.

3. Sequence Enforcement

Sequence enforcement prevents multi-step attacks by defining required or forbidden sequences of function calls.

policy.yaml

# Prevent data exfiltration
sequences:
  prevent_exfiltration:
    forbidden_sequences:
      - [read_database, send_email]
      - [read_database, call_external_api]

Result: If an AI agent reads from the database, it cannot subsequently send email or call external APIs in the same session - preventing exfiltration attacks.

When to Use Deterministic vs Nondeterministic Guardrails

Both approaches have their place. The key is understanding which problems require determinism and which benefit from AI judgment.

Use Deterministic Guardrails For:

Authorization decisions - Who can call what

Data access control - PII, credentials, sensitive APIs

Compliance requirements - GDPR, SOC 2, audit trails

Attack prevention - Sequence enforcement, rate limits

Schema validation - Input format, type checking

Use Nondeterministic Guardrails For:

Content moderation - Toxicity, hate speech detection

Intent classification - Understanding user goals

Semantic validation - Does output answer the question?

Prompt injection detection - Spotting adversarial inputs

Brand safety - Ensuring on-brand responses

D2's approach: Start with deterministic guardrails for all authorization and access control decisions. Layer nondeterministic guardrails on top for content-level safety. This defense-in-depth strategy ensures security is never probabilistic, while still leveraging AI for nuanced content decisions.

Implementing Deterministic Guardrails with D2

D2 provides a zero-infrastructure approach to deterministic guardrails. Add a single decorator to your functions, define policies in YAML, and authorization is enforced at runtime.

Code-Level Protection

tools.py

from d2 import d2_guard, set_user
@d2_guard("database_query")
def query_users(sql: str):
    return db.execute(sql)
# Set user context
set_user("alice", roles=["developer"])
# This call is deterministically evaluated
result = query_users("SELECT * FROM users")

The @d2_guard decorator intercepts every function call and applies deterministic guardrails before execution.

Policy Definition

declarative_policy.yaml

tools:
  database_query:
    allowed_roles:
      - admin
      - developer
    guardrails:
      input:
        - type: schema_validation
          field: sql
          schema:
            type: string
            max_length: 2000
            pattern: "^SELECT.*"
      output:
        - type: pii_removal
          fields:
            - ssn
            - credit_card

All authorization logic lives in declarative policies. Update the policy file and changes propagate within seconds - no code deployment required.

Technical Properties of Deterministic Guardrails

Idempotency

A deterministic guardrail is idempotent: evaluating the same request multiple times produces identical results. This property is critical for retry logic, distributed systems, and debugging.

Composability

Multiple deterministic guardrails can be composed together. D2 evaluates RBAC, input guardrails, sequence checks, and output guardrails in a defined order, all deterministically.

Low Latency

Because deterministic guardrails don't require LLM calls, they add minimal overhead to function execution. This makes them suitable for high-throughput production systems.

Testability

Deterministic guardrails are fully testable. You can write unit tests that assert authorization behavior, with no mocks or test doubles required.

Secure Your AI Agents with Deterministic Guardrails

Get predictable, auditable, function-level authorization for agentic AI in under a minute.

Related Resources

Policy Guide

Learn how to write declarative policies for deterministic authorization

Architecture

Understand how D2's runtime authorization engine works

FAQ

Common questions about securing AI agents with guardrails

Deterministic Guardrails for AI Agents

What Are Deterministic Guardrails?

Deterministic

Predictable, repeatable decisions

Rule-based authorization (RBAC)

Input validation against schemas

Sequence enforcement patterns

Auditable and explainable

Nondeterministic

Probabilistic, variable decisions

LLM-based judgment calls

Content moderation via AI

Intent classification

Harder to audit and explain

Why Deterministic Guardrails Are Critical for Agentic AI

Agentic AI systems - where AI makes autonomous decisions and executes functions - face a fundamental authorization problem: how do you ensure an AI agent only does what it's allowed to do?

Predictability

In production systems, you need guaranteed behavior. Deterministic guardrails ensure the same input always produces the same authorization decision.

Security

Authorization is too critical to delegate to probabilistic systems. Deterministic guardrails provide cryptographic-level certainty about what AI agents can access.

Auditability

Compliance and security teams need explainable decisions. Deterministic guardrails provide clear audit trails.

The AuthZ Problem in Agentic AI

Traditional authorization systems operate at the API endpoint level. But agentic AI doesn't call endpoints - it calls individual functions based on natural language instructions.

Deterministic guardrails solve this by moving authorization to the function level, where AI agents actually operate.

Three Types of Deterministic Guardrails

D2 implements deterministic guardrails through three complementary mechanisms:

1. Function-Level RBAC

Role-Based Access Control defines who can call which functions. Each function is protected by a declarative policy that maps roles to permissions.

policy.yaml

# Weather API policy
tools:
  weather_api:
    allowed_roles:
      - developer
      - admin
    denied_roles:
      - guest

Result: Developers and admins can call get_weather(), guests cannot. The decision is deterministic and instant.

2. Input & Output Guardrails

Input guardrails validate function arguments before execution. Output guardrails sanitize or validate return values after execution.

policy.yaml

tools:
  database_query:
    guardrails:
  input:
    - type: schema_validation
      field: query
      schema:
        type: string
        max_length: 1000
            pattern: "^SELECT.*FROM users.*$"

Result: Any query exceeding 1000 characters or not matching the pattern is automatically denied before reaching the database.

3. Sequence Enforcement

Sequence enforcement prevents multi-step attacks by defining required or forbidden sequences of function calls.

policy.yaml

# Prevent data exfiltration
sequences:
  prevent_exfiltration:
    forbidden_sequences:
      - [read_database, send_email]
      - [read_database, call_external_api]

Result: If an AI agent reads from the database, it cannot subsequently send email or call external APIs in the same session - preventing exfiltration attacks.

When to Use Deterministic vs Nondeterministic Guardrails

Both approaches have their place. The key is understanding which problems require determinism and which benefit from AI judgment.

Use Deterministic Guardrails For:

Authorization decisions - Who can call what

Data access control - PII, credentials, sensitive APIs

Compliance requirements - GDPR, SOC 2, audit trails

Attack prevention - Sequence enforcement, rate limits

Schema validation - Input format, type checking

Use Nondeterministic Guardrails For:

Content moderation - Toxicity, hate speech detection

Intent classification - Understanding user goals

Semantic validation - Does output answer the question?

Prompt injection detection - Spotting adversarial inputs

Brand safety - Ensuring on-brand responses

Implementing Deterministic Guardrails with D2

D2 provides a zero-infrastructure approach to deterministic guardrails. Add a single decorator to your functions, define policies in YAML, and authorization is enforced at runtime.

Code-Level Protection

tools.py

from d2 import d2_guard, set_user
@d2_guard("database_query")
def query_users(sql: str):
    return db.execute(sql)
# Set user context
set_user("alice", roles=["developer"])
# This call is deterministically evaluated
result = query_users("SELECT * FROM users")

The @d2_guard decorator intercepts every function call and applies deterministic guardrails before execution.

Policy Definition

declarative_policy.yaml

tools:
  database_query:
    allowed_roles:
      - admin
      - developer
    guardrails:
      input:
        - type: schema_validation
          field: sql
          schema:
            type: string
            max_length: 2000
            pattern: "^SELECT.*"
      output:
        - type: pii_removal
          fields:
            - ssn
            - credit_card

All authorization logic lives in declarative policies. Update the policy file and changes propagate within seconds - no code deployment required.

Technical Properties of Deterministic Guardrails

Idempotency

A deterministic guardrail is idempotent: evaluating the same request multiple times produces identical results. This property is critical for retry logic, distributed systems, and debugging.

Composability

Multiple deterministic guardrails can be composed together. D2 evaluates RBAC, input guardrails, sequence checks, and output guardrails in a defined order, all deterministically.

Low Latency

Because deterministic guardrails don't require LLM calls, they add minimal overhead to function execution. This makes them suitable for high-throughput production systems.

Testability

Deterministic guardrails are fully testable. You can write unit tests that assert authorization behavior, with no mocks or test doubles required.

Secure Your AI Agents with Deterministic Guardrails

Get predictable, auditable, function-level authorization for agentic AI in under a minute.

Related Resources

Policy Guide

Learn how to write declarative policies for deterministic authorization

Architecture

Understand how D2's runtime authorization engine works

FAQ

Common questions about securing AI agents with guardrails