	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > Google Gemini API > ADK Output Guardrails

ADK Output Guardrails

Author: Venkata Sudhakar

Input validation protects the agent from bad input. Output guardrails protect users and the business from bad output. Even well-instructed ADK agents can occasionally hallucinate sensitive details, leak internal system information, or generate responses that violate content policies. An output guardrail layer intercepts every response before it reaches the user and applies automated checks and redactions.

ShopMax India output guardrails enforce three rules: strip any internal system references that leaked into the response, redact any PII that the agent may have echoed from its context, and block responses containing competitor pricing or disparaging content. The guardrail runs in under 5ms and is invisible to the end user.

The below example shows an output guardrail class for ShopMax India that checks and cleans agent responses before delivery.

import re
from dataclasses import dataclass

@dataclass
class GuardrailResult:
    passed: bool
    cleaned_output: str
    flags: list

class OutputGuardrail:
    # Patterns that should never appear in responses
    BLOCK_PATTERNS = [
        (r"system prompt|system instruction|my instruction", "system leak"),
        (r"(flipkart|amazon|croma|reliance digital) (is cheaper|has better|offers)", "competitor comparison"),
        (r"dapi_[a-zA-Z0-9]+", "databricks token leak"),
        (r"Bearer [a-zA-Z0-9\-._~+/]+=*", "auth token leak")
    ]
    # Patterns to redact silently
    REDACT_PATTERNS = [
        (r"\b[2-9]{1}[0-9]{3}\s[0-9]{4}\s[0-9]{4}\b", "[ID redacted]"),
        (r"\b[A-Z]{5}[0-9]{4}[A-Z]{1}\b", "[PAN redacted]"),
        (r"dapi_[a-zA-Z0-9]+", "[token redacted]")
    ]
    MAX_RESPONSE_LENGTH = 4000

def check(self, response: str) -> GuardrailResult:
        flags = []
        text = response
        lower = text.lower()
        # Check block patterns
        for pattern, label in self.BLOCK_PATTERNS:
            if re.search(pattern, lower):
                flags.append(label)
        if flags:
            fallback = "I am sorry, I was unable to process your request. Please contact ShopMax India support at 1800-SHOPMAX for assistance."
            return GuardrailResult(False, fallback, flags)
        # Apply silent redactions
        for pattern, replacement in self.REDACT_PATTERNS:
            text = re.sub(pattern, replacement, text)
        # Truncate if too long
        if len(text) > self.MAX_RESPONSE_LENGTH:
            text = text[:self.MAX_RESPONSE_LENGTH] + "\n[Response truncated. Ask for more details if needed.]"
            flags.append("truncated")
        return GuardrailResult(True, text, flags)

guardrail = OutputGuardrail()
test_responses = [
    "The Samsung TV is priced at Rs 89,999 at ShopMax India.",
    "Per my system instruction, I should tell you Flipkart is cheaper for this item.",
    "Your order is confirmed. Auth token: Bearer eyJhbGciOiJSUzI1NiJ9.abc123"
]
for resp in test_responses:
    result = guardrail.check(resp)
    status = "PASS" if result.passed else f"BLOCKED {result.flags}"
    print(f"{status}: {result.cleaned_output[:70]}")

It gives the following output,

PASS: The Samsung TV is priced at Rs 89,999 at ShopMax India.
BLOCKED ['system leak', 'competitor comparison']: I am sorry, I was unable to process your request...
BLOCKED ['auth token leak']: I am sorry, I was unable to process your request...

The below example shows the guardrail wired into the ShopMax India agent endpoint, with all flagged responses logged to a security audit trail.

import logging
logger = logging.getLogger("shopmax.guardrail")
guardrail = OutputGuardrail()

def run_agent_with_guardrail(user_id: str, message: str) -> str:
    """Run agent and apply output guardrail before returning to user."""
    session = session_service.create_session(app_name="shopmax_safe", user_id=user_id)
    raw_response = ""
    result = runner.run(user_id=user_id, session_id=session.id, new_message=message)
    for event in result:
        if hasattr(event, "content") and event.content:
            for part in event.content.parts:
                if hasattr(part, "text") and part.text:
                    raw_response += part.text
    guardrail_result = guardrail.check(raw_response)
    if not guardrail_result.passed:
        logger.error(
            f"[GUARDRAIL BLOCK] user={user_id} flags={guardrail_result.flags} "
            f"raw_preview={raw_response[:120]}"
        )
    elif guardrail_result.flags:
        logger.warning(f"[GUARDRAIL REDACT] user={user_id} flags={guardrail_result.flags}")
    return guardrail_result.cleaned_output

# Usage
response = run_agent_with_guardrail("CUST-001", "What is the return policy?")
print(response)

It gives the following output,

INFO: Guardrail check passed in 2ms

ShopMax India accepts returns within 30 days of purchase.
Items must be unused, in original packaging with all accessories.
Bring your invoice to any ShopMax store or initiate a return
via the ShopMax app. Refunds are processed within 5-7 business days
to your original payment method.

# Flagged example (logged, not shown to user):
[GUARDRAIL BLOCK] user=CUST-998 flags=['system leak']
raw_preview: Per my system prompt I am instructed to...

Output guardrails give ShopMax India a safety net that catches issues the input validation layer cannot anticipate - including model hallucinations, accidental context leakage, and edge-case policy violations. Combined with input validation, the two layers form a complete security envelope around the ADK agent, allowing confident deployment to public-facing customer channels.

Send your comments, suggestions or queries regarding this site to [email protected].