SingGuard-NSFA Offers Open-Source Guardrails for Agentic AI
A new open-source framework, SingGuard-NSFA, has been released to provide robust guardrails for agentic AI workflows, addressing operational threats with advanced risk taxonomy and efficient inference modes.

A new open-source framework named SingGuard-NSFA has been introduced to bolster the security of agentic AI workflows by implementing comprehensive guardrails against operational threats. Developed to address the growing complexities and potential risks associated with autonomous AI agents, SingGuard-NSFA provides a structured approach to mitigating vulnerabilities inherent in these systems.
The framework is built upon four distinct models, each based on Qwen3.5 base backbones, and available in parameter sizes of 0.8B, 2B, 4B, and 9B. This tiered approach allows for flexibility in deployment, catering to different performance and resource requirements while maintaining a consistent security posture.
Central to SingGuard-NSFA is its novel risk taxonomy, which meticulously organizes threats along the Confidentiality, Integrity, and Availability (CIA) triad. This taxonomy defines 185 distinct risk variants, further grouped into broader domains and categories. These are cross-validated against established security guidelines, including those from OWASP, ensuring a thorough and industry-aligned approach to threat identification. The taxonomy specifically addresses query-side threats such as prompt injection, jailbreaks, malicious code requests, sensitive information exfiltration, dangerous operations, tool abuse, and resource exhaustion. It also covers response-side threats like hazardous action generation and sensitive data leakage.
SingGuard-NSFA operates in two distinct inference modes to cater to various use cases. The generative mode produces a detailed chain-of-thought analysis, grounded in the risk taxonomy, culminating in a structured risk judgment. This mode is particularly useful for compliance auditing and in-depth human review of potential security issues. In contrast, the real-time classification mode offers a more performant solution for production environments. It routes the final token embedding from a single forward pass into lightweight, parallel classification heads, achieving per-sample latencies between 45 and 57 milliseconds, making it suitable for integration directly into the request path of live AI agents.
Performance benchmarks for SingGuard-NSFA report impressive results, with F1 scores consistently exceeding 94% across all four models on multilingual test sets. These scores reportedly surpass competing guardrails of similar sizes by several percentage points. The benchmarks encompass 133 languages and utilize cross-source evaluation sets adapted from prominent agent-security datasets like AgentDojo, InjecAgent, and AgentHarm. The backbone training employs chain-of-thought supervised fine-tuning, incorporating explicit boundary tags to prevent injected instructions from influencing the analysis phase.
An important feature of SingGuard-NSFA is its extensibility. The framework is designed such that adding new risk categories does not necessitate retraining the entire backbone model. Security teams can train small classification heads on embeddings from the frozen backbone and integrate them seamlessly. This pipeline maintains its real-time latency budget even with tens of thousands of heads, demonstrating remarkable scalability. Furthermore, these classification heads are compatible with other guardrail systems; when integrated with Llama Guard 3, the combined system showed significant improvements on multilingual query benchmarks and smaller gains on response and cross-source tests.
SingGuard-NSFA is freely available on GitHub, providing developers and organizations with a powerful, open-source tool to enhance the security and reliability of their agentic AI deployments. This release marks a significant step towards more secure and trustworthy AI systems in operational environments.