Guardrails 2.0
Keep agents on-brand and compliant at scale
Enterprise-grade safety, ultra-low latency
Two layers of protection
Proactive guidance
Guardrails harden the system prompt with additional instructions that keep agents anchored to their role, especially during longer or more complex calls where drift is most likely.
Real-time enforcement
Separate checks run on every response before it reaches the user. If a violation is detected, the response is blocked and the system takes the action you've defined: end, retry, or escalate.
You choose what happens next
Guardrail
triggered
Pre-built protections and custom control
Configure as many as you need, toggle on/off without deleting.
Automatically redact sensitive information
Before redaction
After a call ends, automatically detect and redact selected sensitive information from your transcripts, recordings, and webhook payloads.
After redaction
Detected entities are replaced with typed placeholders in text and bleeped in audio, keeping conversation context for review and future analysis.
Part of a broader safety foundation
Guardrails 2.0 supports enterprise deployments of ElevenAgents, alongside pre-production safeguards, post-deployment monitoring, and access to the industry's first insurance policies, backed by AIUC-1 certification.
Commonly asked questions
Minimal. Guardrails run concurrently with response generation and typically complete before the full response is ready to deliver. In most cases, users notice no delay at all.
Pre-built Guardrails are currently off by default, so there’s no impact to existing agents when you upgrade. We recommend enabling them (especially Focus) for any production deployment. Soon, Guardrails will be on by default for new agents. You can toggle any individual Guardrail on or off at any time from your agent’s Security tab.
Pre-built Guardrails (Focus, Content, Manipulation) are included at no additional cost. Custom Guardrails are usage-based and costs are passed through like other LLM costs. You can also choose which model evaluates your rules.
Your system prompt guides your agent’s behavior by telling it what to do and how to respond. A Custom Guardrail independently evaluates every agent response against your rule after the model generates it, and blocks violations before they reach the user. Think of your system prompt as instructions and Guardrails as enforcement.
For your most critical policies, we recommend using both: the system prompt and Focus Guardrail shape behavior, and the Custom Guardrail catches anything that slips through, especially in long conversations where models are more likely to drift.
It depends on the Guardrail type and how you’ve configured it. For Custom Guardrails, you choose the exit strategy: end the conversation, transfer to another agent, or escalate to a human. For pre-built Guardrails (Focus, Content, Manipulation), the conversation currently terminates when triggered. Configurable exit strategies for these are coming soon. In all cases, users can start a new conversation immediately. The Guardrail blocks a specific response, not the user.
Every trigger is logged in your conversation analytics. You’ll see which Guardrail fired, why, and the conversation context. Use this to review false positives and refine your rules over time.
Yes. Guardrails are purpose-built for high-stakes deployments. Custom Guardrails let you define domain-specific policies in natural language, such as “do not provide medical diagnoses” or “do not recommend specific investments.” These rules are enforced independently across every conversation, helping reduce compliance exposure without requiring custom infrastructure.
Guardrails 2.0 also supports AIUC-1 compliance alignment and access to the industry’s first AI insurance policies, making it easier to get security and legal teams more comfortable with production deployments. While Guardrails significantly reduce risk, they work best as part of a broader compliance strategy rather than a standalone solution.
By default, conversation logs include transcript and audio data to support analytics, QA, and agent improvement. If you need to limit data exposure, Conversation History Redaction automatically removes selected sensitive information (such as names, payment card numbers, or other PII) from transcripts, recordings, and webhook payloads before they’re stored. Text is replaced with typed placeholders and audio is bleeped. You control exactly which entity types get redacted. Conversation History Redaction is available to enterprise clients.
Yes, and this is the recommended setup. System prompt hardening guides the agent toward the right responses. Guardrails independently enforce your rules as a safety net, so even if the model drifts in a long conversation, violations are caught before delivery. Together they create defense in depth.
Yes. Each Guardrail can be toggled on or off individually. For most production deployments, we recommend keeping all Guardrails enabled (especially Focus). In some cases, a specific Guardrail may conflict with your agent’s intended use case. When in doubt, test before disabling.