Guardrails

Guardrails That Are Governed, Not Just Turned On

Cloptima runs prompt-injection, jailbreak, PII, and secret detectors on gateway traffic, then treats the cost and risk of those checks as a first-class policy decision — with approvals, versioned bypass, and a full audit trail.

app.cloptima.ai/llm/policies
Guardrail cost governance
Last 7 days · production policies
Illustrative
Requests scanned
1.8M
Guardrail cost avoided
$3,410
via cost-aware downgrade
Blocked before egress
212
Recent bypass and block events
Prompt injection detected
app=support-ai · blocked
Blocked
Exact-cache-hit bypass
profile v3 · versioned exception
Approved bypass
PII detector — downgraded profile
cost cap exceeded, lightweight scan applied
Downgraded

Govern access before spend happens

Guardrails are usually sold as a yes/no feature: every request gets scanned, or none do. That ignores two real constraints — heavy detectors add latency and cost on every call, and a scan that always blocks or always allows creates its own risk: silent bypass with no record, or blanket enforcement that breaks legitimate high-volume traffic. Teams need guardrails a security reviewer can trust and a platform team can afford at scale.

  • Detector cost scales with traffic, but budgets rarely account for it
  • Blanket enforcement breaks trusted high-volume or pre-verified traffic
  • Bypass decisions with no owner, no version, and no audit trail
  • No visibility into how much guardrail cost is being avoided versus incurred

One policy layer across model usage

Cloptima's gateway core evaluates prompt-injection, jailbreak, PII, and secret detectors inline on gateway traffic, then applies a cost-benefit policy: downgrade to a lightweight profile, require human approval, or block, based on a configured cost mode and per-request cost cap. Bypass is never silent — it is versioned, scoped to specific trusted app profiles or exact-cache-hit conditions, and every bypass and every block is written to an auditable evidence trail with redaction applied before storage.

  • Prompt injection, jailbreak, PII, and secret detectors on gateway traffic
  • Guardrail cost mode: downgrade, require-approval, or block when a per-request cost cap is exceeded
  • Versioned guardrail profile publishing, so a weakened profile can't ship without review
  • Policy-controlled bypass for exact-cache hits and pre-verified app profiles only — never a blanket exception
  • Full bypass and block audit stream with evidence redaction, reviewable in the Audit tab

Start with one app, then expand

Turn on detection in observe mode for your highest-risk apps, review the bypass and block audit stream for a week, then decide which app profiles are trusted enough for a scoped, versioned bypass — publish that as an approved guardrail profile version rather than a silent config change.

Built for private production AI

Guardrail cost decisions run in the same policy evaluation as budget and routing checks, so a heavy detector's cost is priced and capped before it runs, not audited after the fact. Profile publishing goes through the same approval queue as policy and budget changes, so a guardrail can't be quietly loosened by one engineer — every change needs a reviewer, and every approved change is versioned.

Launch path

Enable detectors on a policy, set a guardrail cost mode and per-request cost cap, and review the Audit tab's bypass stream before publishing any bypass exception.

FAQ

Operationalize LLM FinOps Across Your Apps

Start with telemetry, gateway governance, or provider bill matching workflows. Keep model spend connected to engineering ownership and finance reporting.

No credit card required
5-minute setup
Free trial