Security Model
How Guardrail Layer enforces strict security boundaries between LLMs, application logic, and production databases.
Security First, Not Security Later
Guardrail Layer is designed around a simple premise:
LLMs must never be trusted with direct access to production data.
The security model assumes that:
- LLMs can generate unsafe or adversarial queries
- Read-only database access is insufficient protection
- Inference attacks are realistic and likely
- Auditing must include intent and decision context
Trust Boundaries
Guardrail Layer enforces explicit trust boundaries between system components.
Treated as untrusted. Never connect directly to databases or hold credentials.
Authenticate users and forward identity context, but do not bypass policy.
Trusted enforcement point. Owns policy evaluation and execution decisions.
Protected resources. Only receive queries approved by Guardrail Layer.
Credential Isolation Critical
Database credentials are never exposed to LLMs or client-side code.
- Credentials are stored and managed by Guardrail Layer
- LLMs never receive connection strings or secrets
- Queries execute under tightly scoped service accounts
Even a compromised prompt cannot escalate database privileges.
Policy-Driven Access Control
Access is governed by explicit, deterministic policies — not ad-hoc checks.
Policies control:
- Which tables and columns are visible
- Allowed query types and structures
- Aggregation and inference limits
- Execution cost and frequency
Defense Against Inference Attacks
Guardrail Layer actively mitigates inference risks by:
Small-Group Protection
Restricts aggregations that could expose individual records through statistical analysis.
Query Pattern Detection
Identifies and limits repeated exploratory queries that could reconstruct sensitive data.
Role-Specific Constraints
Applies different query limitations based on user roles and permissions.
Agent Restrictions
Enforces stricter limits on automated agents to prevent systematic data extraction.
Multi-Tenant Isolation
Tenant boundaries are enforced at the policy layer, independent of database structure or user accounts.
Cross-tenant access is impossible without an explicit policy violation.
Deterministic Enforcement
Guardrail Layer avoids probabilistic or heuristic enforcement mechanisms.
This ensures:
- Repeatable decisions
- Explainable outcomes
- Reliable audit trails
Auditability & Transparency
Every enforcement decision is recorded with full context:
- Original query
- Transformed query (if any)
- Matched policies
- Decision reasons
- Execution metadata
Security decisions are observable, reviewable, and attributable.
Deployment Security
Guardrail Layer supports both hosted and self-hosted deployments without weakening security guarantees.
- Hosted: managed infrastructure with strict isolation
- Self-hosted: runs inside your security perimeter
See Hosted vs Self-Hosted for details.
Why This Model Works
Guardrail Layer does not attempt to make LLMs "safer".
It makes unsafe behavior impossible to execute.