DeepInspect vs Guardrails AI: A Library You Must Remember to Call, and a Gateway Traffic Must Pass Through
Guardrails AI is an Apache 2.0 Python framework with 70 validators in its Hub, covering PII detection through Presidio, jailbreak detection, secrets scanning, and structured output validation. It runs in the application process, or as a Flask server with OpenAI-compatible endpoints. Both modes are opt-in: a code path that skips the guard is unguarded. This piece covers what Guardrails AI validates well, what it never evaluates, and how the two layers compose.

Guardrails AI is an Apache 2.0 Python framework, roughly 7,100 stars, actively maintained with v0.10.2 released on June 4, 2026. It wraps LLM calls in Input and Output Guards that detect, quantify, and mitigate risks in prompts and responses, and it generates structured data from model output. The Guardrails Hub carries 70 validators. It is a genuinely good piece of software and a lot of teams use it correctly.
The architectural difference between it and a gateway comes down to one sentence: Guardrails AI is a library you must remember to call, and a gateway is something traffic has to pass through. Everything else in this comparison follows from that.
TL;DR
Guardrails AI validates content. It answers whether a prompt or a response is acceptable, using validators such as Presidio-backed PII detection, jailbreak detection, secrets scanning, and format validation. It never asks who is calling, whether that principal is permitted to make the call, or what record proves the decision. DeepInspect answers those three questions and produces a signed audit record. The two are complementary layers, and the honest recommendation for many deployments is to run both.
Guardrails AI: what it is and where it sits
Two deployment modes, and the distinction carries the whole argument.
Library mode, the default. You import Guard and call it in your application code.
The guard object runs in the application process. Enforcement lives wherever the developer chose to call it.
Server mode, added in v0.5.0. A standalone Flask service started with guardrails start --config=./config.py, listening on port 8000 by default. It exposes a REST API and OpenAI-SDK-compatible endpoints, so a client points its base URL at the guard:
The response carries a guardrails key with the validation results. Docker with Gunicorn is the recommended production setup.
The Hub is the strength. Validators are installed by CLI (guardrails hub install hub://guardrails/detect_pii) and cover real ground: detect_pii backed by Microsoft Presidio, detect_jailbreak, secrets_present for API keys in text, toxic_language, competitor_check, web_sanitization for browser-executable strings in output, exclude_sql_predicates, plus policy classifiers such as llamaguard_7b and shieldgemma_2b and deterministic format validators like valid_json and valid_sql. Failure behavior is per-validator through on_fail: raise, filter, fix, or reask.
Guardrails Pro is the managed commercial tier, hosted or deployed in your VPC. No public price list.
What DeepInspect is and where it sits
DeepInspect is a stateless proxy at the AI request boundary between authenticated users or agents and any HTTP LLM endpoint. It evaluates identity-bound policy per request, classifies prompt content against regulated data types, and commits a per-decision audit record with cryptographic integrity. Deterministic, fail-closed, model-agnostic.
Where the two separate
Guardrails has no concept of a principal. There is no authenticated caller in the Guard API. A Guard validates text. It does not know who the user is, what role they hold, or whether that identity is permitted to send this content to this model. There is no policy primitive of the shape "user X in group Y may call model Z with data class D." In server mode, guards are addressed by name in the URL path, and the server does not authenticate the end user or bind the decision to them. The server configuration puts the LLM provider keys in the server environment, which means the upstream provider sees one shared credential rather than the human behind the request. That is the post-authentication gap in a single design decision.
Enforcement is opt-in in both modes. In library mode, a code path that skips guard() is an unguarded code path, and nothing at the network layer notices. In server mode, enforcement depends on the client pointing its base URL at the guard, so any client that addresses the provider directly bypasses it entirely. There is no chokepoint, no sidecar, no egress control. This is not a criticism of the project, which never claimed to be a network control. It is a statement about what the architecture can and cannot guarantee. A control that a developer can forget to call has a coverage number, and the coverage number is unknown.
No documented signed audit record. Guardrails returns validation outcomes in band: a guardrails key on the response object, a ValidationOutcome in Python, exceptions on failure. Nothing in the repository, the docs, or the Hub describes a tamper-evident or signed record binding a decision to an identity, a policy version, and a timestamp. Observability dashboards are a Pro feature, and a dashboard is not an audit record. Since Guardrails has no identity primitive, there is nothing to bind a record to even in principle.
Feature comparison
| Capability | Guardrails AI | DeepInspect | |---|---|---| | PII detection | Yes, detect_pii via Presidio | Yes | | Jailbreak detection | Yes, detect_jailbreak | Yes, as one policy input | | Secrets detection in text | Yes, secrets_present | Yes | | Toxic language, topic restriction | Yes, Hub validators | Policy-driven | | Structured output validation | Yes, Pydantic schemas, valid_json, valid_sql | Out of scope | | Output correction and reask | Yes, on_fail fix and reask | Modify or block | | Extensible validator ecosystem | Yes, 70 validators in the Hub | Policy engine, not a plugin hub | | Identity of the caller | No concept of a principal | Natural person from the identity provider | | Per-role or per-route policy | No | Yes | | PHI and MNPI classification | No named taxonomy | Yes | | Enforcement traffic must pass through | No, opt-in by import or base URL | Yes, a network chokepoint | | Bypassable by a developer | Yes, by skipping the call | No | | Per-decision signed audit record | Not documented | Yes | | Fail-closed posture | Per-validator on_fail | Default, architectural | | License | Apache 2.0, free; Pro is commercial | Commercial |
Pick Guardrails AI if
Pick Guardrails AI if you need content validation inside a Python application and the developers writing that application are the people responsible for the guarantee. Pick it if structured output matters, because Pydantic-schema validation with reask is a real capability that a network gateway does not provide and should not try to. Pick it if the Hub's validator ecosystem covers your risk set, because 70 maintained validators with Presidio behind the PII one is a lot of value for an Apache 2.0 license. Pick it if you want the guard co-located with the business logic that knows what a valid response looks like, since that context lives in the application and nowhere else.
Pick DeepInspect if
Pick DeepInspect if the requirement is a guarantee rather than a convention, meaning that no code path can reach a model without being evaluated. Pick it if the policy has to vary by who is asking, which Guardrails has no way to express. Pick it if the classification requirement extends into PHI, MNPI, or jurisdictional categories. Pick it if an auditor will ask for a record binding a decision to a named person, a policy version, and a timestamp, on a write path the application cannot suppress. And pick it if the model estate spans languages and services beyond the Python application where the guard lives.
Composition in production
These two are complementary, and I want to be clear that I mean it rather than saying it as a courtesy.
DeepInspect answers the authorization question at the network boundary, where it cannot be bypassed, and produces the evidence. Guardrails answers the content and structure question inside the application, where the schema and the business context live. A validator that checks a response parses as valid SQL belongs in the application. A control that decides whether a paralegal may send privileged content to a third-party model belongs at the boundary and has to be non-bypassable.
The failure mode to avoid is treating either one as the other. A Guard cannot be the network control. A gateway should not be validating your Pydantic schemas.
Pricing approach
The Guardrails AI core framework is Apache 2.0 and free. Guardrails Pro is a managed commercial tier, available hosted or deployed in your own VPC, with a private validator hub, SLAs, and support, and it is also listed on AWS Marketplace. No public price list, and usage-based pricing through sales. DeepInspect is priced through sales conversation and deploys self-hosted or managed.
DeepInspect
This is the gap DeepInspect closes. Guardrails AI evaluates the content. DeepInspect evaluates the principal, and it does so at a point in the network that traffic cannot route around.
Every request is evaluated against the natural-person identity the application supplies, the route it arrived on, the classification of the data in the prompt, and the policy version active at that moment. The decision is deterministic and fail-closed, and it happens before the request reaches the model. Every decision produces a signed, identity-bound audit record, committed before the response returns, on a write path the application never has custody of. That last property is what separates evidence from a log: the system that made the AI call has no ability to alter the record describing it, which is the requirement an EU AI Act Article 12 reviewer or a HIPAA auditor is actually testing.
Run Guardrails inside the application for content and schema. Run DeepInspect at the boundary for authorization and evidence. If you are trying to prove coverage of AI traffic across services that a Python library never sees, let's talk today.
Frequently asked questions
- Is Guardrails AI a security control?
It is a content validation framework, and it is a good one. Whether it functions as a security control depends on a property the framework cannot enforce: that every code path calling a model also calls the guard. In library mode the guard runs in the application process, so a developer who forgets the call, or a new service that never adopted the pattern, produces unguarded traffic that nothing at the network layer observes. In server mode enforcement depends on the client pointing its base URL at the guard, and a client can point at the provider directly. A control with an unknown coverage number is a mitigation rather than a guarantee.
- Does Guardrails AI detect PII?
Yes, well. The
detect_piivalidator is backed by Microsoft Presidio, and the Hub carries roughly 70 validators covering jailbreak detection, secrets in text, toxic language, topic restriction, competitor mentions, browser-executable strings in output, and deterministic format checks. What it has no named taxonomy for is PHI or MNPI. A clinical workload that needs to recognize a SOAP note, or a trading desk that needs material non-public information detection, is building that logic itself.- Can Guardrails AI produce an audit trail?
Nothing in the repository, documentation, or Hub describes a signed or tamper-evident audit record. Guardrails returns validation outcomes in band, as a
guardrailskey on the response object and aValidationOutcomein Python, and raises exceptions on failure. Guardrails Pro adds observability dashboards, and a dashboard is a different artifact than an audit record. The deeper reason is structural: an audit record binds a decision to an identity, and Guardrails has no identity primitive, so there is no principal to bind a record to.- What is the best Guardrails AI alternative?
It depends what you are replacing. If you want content validation in a Python application, the honest answer is that Guardrails AI is strong and the alternatives, NeMo Guardrails and LLM Guard among them, are lateral moves. If what you actually need is a control that traffic cannot bypass, that varies policy by who is asking, and that produces evidence an auditor accepts, then you are not looking for an alternative validator. You are looking for a different layer, and that is a gateway rather than a library.
- How is DeepInspect different from Guardrails AI?
Guardrails asks whether this content is acceptable. DeepInspect asks whether this authenticated person, on this route, is permitted to send this class of data to this model right now, and what record proves the decision. Guardrails runs in the application process or as an opt-in server. DeepInspect runs at the network boundary as a chokepoint, so nothing routes around it. Guardrails returns a validation outcome in band. DeepInspect commits a signed record on a write path the application cannot reach. Different questions, different layers, and the sensible deployment runs both.
- Can I run Guardrails AI and DeepInspect together?
Yes, and it is the pattern I would recommend for a Python application handling regulated data. DeepInspect sits at the network boundary, binds the natural-person identity, classifies the prompt content, applies the per-route policy, commits the signed record, and forwards to the model. Guardrails runs inside the application on the response, checking schema validity, structure, and content properties that only the business logic knows how to specify. The boundary control handles authorization and evidence. The library handles correctness and shape. Neither is doing the other's job badly.