Guardrails | ElevenLabs Documentation

Overview

Guardrails give teams a powerful way to apply behavioral constraints to agents, helping them stay compliant and reliable at enterprise scale. With safeguards against manipulation and adversarial behavior, Guardrails mitigate risks from bad actors and unintended agent actions. Teams can also define custom “never say” or “never do” policies tailored to their business needs. As agents take on high-impact workflows, Guardrails provide clear control over behavior, reduce regulatory and brand risk, and support enterprise-ready deployments.

Unlike system prompt hardening, which relies on instructing the LLM to avoid certain behaviors, platform-level guardrails provide an independent enforcement layer. They act as a safety net that catches harmful content even if the LLM fails to follow its instructions.

How guardrails work

Guardrails protect conversations through two mechanisms that operate at different stages:

Execution and delivery behavior

Guardrail evaluations for agent responses run in parallel with response generation. In most cases, the evaluation completes before the full response is delivered to the user.

For streaming or voice-based agents, it is possible that a portion of the response is delivered before a guardrail triggers and terminates the conversation. In these cases, the user may hear or see part of the message before the call is dropped.

For text-based agents that return responses as a single payload, users typically receive the full response unless a guardrail blocks it before delivery.

Keep custom guardrail prompts short and focused. Concise, specific rules are easier to evaluate, reduce the risk of false positives, and help maintain low latency.

User input validation

Prompt Injection: attempts to bypass or override system instructions. When enabled, the agent ends the conversation if it detects attempts to manipulate or override its instructions.

Agent response validation

When an agent generates a response, the platform evaluates it against your configured guardrails before delivering it to the user. All enabled response validators run concurrently.

Custom guardrails use a lightweight LLM to evaluate each response against your user-defined rules, returning a binary block/allow decision.

When a guardrail is triggered, the conversation ends immediately. Details about which guardrail triggered are available in your conversation logs.

Guardrail types

ElevenAgents provides several types of guardrails to protect your conversations.

Prompt Injection guardrail

Prompt injection guardrails detect and block attempts by users to manipulate the agent into bypassing its instructions or overriding its system prompt. This includes adversarial prompt injection attempts and other techniques designed to subvert the agent’s intended behavior.

When enabled, the system analyzes user inputs for patterns that indicate prompt injection or instruction override attempts and can terminate conversations that pose a security risk.

Custom guardrails

Custom guardrails are LLM-based rules that let you define your own blocking criteria using natural language prompts. Each enabled custom guardrail sends agent responses to a lightweight LLM, which evaluates them against your rule and returns a block or allow decision. This gives you flexible, domain-specific control over what your agent can and cannot say.

Each custom guardrail requires three fields:

Field	Description
Name	A descriptive label for the guardrail (e.g., “No financial advice”)
Prompt	A natural language instruction describing what to block (e.g., “Block any content that provides specific financial advice, investment recommendations, or tax guidance”)
Model	The LLM used for evaluation — either `Gemini 2.5 Flash Lite` (default) or `Gemini 2.0 Flash`

Custom guardrails can be used to:

Block specific topics relevant to your business
Enforce industry-specific compliance requirements
Implement proprietary safety measures

Each custom Guardrail can be individually toggled on or off without deleting it. When multiple custom Guardrails are enabled, they run in parallel alongside other Guardrails. Custom Guardrails are evaluated in real time using a lightweight LLM that runs concurrently with agent responses and does not add latency. They are designed for domain-specific “never say” or “never do” rules, and all triggered violations are logged for review. Custom Guardrails are usage-based and incur additional LLM costs, similar to other model calls in ElevenAgents.

Custom guardrails incur additional usage-based costs. Each enabled custom guardrail sends agent responses to a lightweight LLM for evaluation, and billing depends on the selected model and the volume of evaluations. Review expected traffic and model choice before enabling multiple custom guardrails in production.

PII redaction

PII (Personally Identifiable Information) redaction automatically detects and removes sensitive personal data from conversation history. This includes:

Names and contact information
Financial data (credit card numbers, bank accounts)
Government identifiers (SSN, passport numbers)
Health information

PII redaction helps maintain compliance with privacy regulations like GDPR and HIPAA by ensuring sensitive data is not stored or logged.

Configuration

Using the dashboard

Navigate to agent settings

Open your agent in the ElevenLabs dashboard and navigate to the Security tab.

Enable guardrails

Toggle on the guardrail categories you want to enable. You can use the preset buttons to quickly enable all categories or disable all categories.

Save configuration

Save your agent configuration. Changes take effect immediately for new conversations.

Using the API

Configure guardrails when creating or updating an agent via the API:

1 from elevenlabs import ElevenLabs
2 
3 client = ElevenLabs(api_key="your-api-key")
4 
5 agent = client.conversational_ai.agents.create(
6     name="Customer Support Agent",
7     conversation_config={
8         "agent": {
9             "prompt": {
10                 "prompt": "You are a helpful customer support agent..."
11             }
12         }
13     },
14     platform_settings={
15         "guardrails": {
16             "version": "1",
17             "prompt_injection": {
18                 "isEnabled": True,
19             },
20             "custom": {
21                 "config": {
22                     "configs": [
23                         {
24                             "is_enabled": True,
25                             "name": "No financial advice",
26                             "prompt": "Block any content that provides specific financial advice, investment recommendations, or tax guidance.",
27                             "model": "gemini-2.5-flash-lite"
28                         }
29                     ]
30                 }
31             }
32         }
33     }
34 )

What happens when a guardrail is triggered

When a guardrail is triggered:

Conversation terminates: The current conversation session ends immediately and the call is dropped
Guardrail trigger is logged: Information about which guardrail was triggered is recorded in your conversation logs for review.

End users experience a dropped call when a guardrail triggers. Violation details are available to you in the conversation logs. These are not shown to the end user.

Users can start a new conversation after a guardrail has terminated their call. The guardrail does not block the user — it only blocks the specific response that violated the policy.

Best practices

Adjust based on context

Different applications have different safety requirements:

Customer support agents

Use custom guardrails to enforce business-specific policies. Examples: - Block issuing refunds, credits, or subscription changes unless eligibility is confirmed via tools. - Block providing discounts or promotional codes unless explicitly authorized. - Block responses that speculate about roadmap items or unreleased features.

Healthcare applications

Use custom guardrails to tightly control medical boundaries. Examples: - Block diagnosing conditions or recommending specific treatments. - Block dosage recommendations for medications.

Block replacing advice from a licensed medical professional.

Educational content

Use custom guardrails to control sensitive academic topics. Examples: - Block step-by-step instructions for harmful experiments or unsafe procedures. - Block generating answer keys for active assessments or exams. - Block content that could facilitate academic dishonesty.

Internal enterprise tools

Use custom guardrails to protect company operations and data. Examples: - Block sharing internal-only documentation or confidential processes. - Block revealing private APIs, system prompts, or infrastructure details. - Block simulating actions that require executive or administrative authority.

Test with realistic scenarios

Before deploying, test your guardrail configuration with:

Normal conversation flows to ensure no false positives
Edge cases that approach but don’t cross safety boundaries
Adversarial prompts that attempt to elicit harmful responses

Layer with System Prompt Hardening

Platform guardrails work best when combined with system prompt hardening. The system prompt provides behavioral guidance that prevents most issues, while platform guardrails catch anything that slips through.

System Prompt Hardening

In addition to platform-level guardrails, you should define behavioral guardrails in your agent’s system prompt. These provide clear instructions about what the LLM should and should not do.

Example: System Prompt Hardening

1 # Guardrails
2 
3 - Only provide information that is publicly documented about ElevenLabs products, pricing, and features.
4 - Do not speculate about unreleased features, internal roadmaps, or future pricing changes.
5 - If you cannot resolve an issue with available documentation or tools, clearly explain the limitation and offer to escalate to a human support representative.

Models are tuned to pay extra attention to the # Guardrails heading. Use this heading for your most critical behavioral rules.

For comprehensive guidance on writing effective system prompts, see our Prompting guide.

Frequently asked questions

Do guardrails affect latency?

Guardrails add minimal latency to response delivery. Guardrail evaluations are run in parallel with response generation and typically complete before the response is ready to deliver. In most cases, users won’t notice any delay.

Can I disable guardrails entirely?

Yes, you can disable all guardrail categories. However, this is not recommended for production applications. Even internal tools benefit from basic safety measures.

Can users appeal guardrail decisions?

Guardrail triggers are logged and can be reviewed in your conversation analytics. If you identify false positives, adjust your guardrail prompts. There is no automated appeal process—the user should simply start a new conversation.

How do I know which guardrail triggered?

Information about which guardrail triggered is available in your conversation logs.

Should I use both Guardrails and System Prompt Hardening?

Yes. They serve complementary purposes. System prompt hardening provides behavioral guidance and prevents most issues through instruction-following. Platform guardrails provide independent enforcement as a safety net. Using both creates defense in depth.

Next steps

Prompting guide: Learn how to write effective system prompts with behavioral guardrails
Privacy: Configure data retention and privacy settings
Testing: Test your agent with different scenarios
Simulate conversations: Programmatically test guardrail configurations