"Add some guardrails" is the most quietly confused instruction in agent engineering. It sounds like one task, so teams go shopping for one tool, sort the GitHub results by stars, and install whatever's on top. Then they're surprised when the thing meant to stop their bot from leaking a customer's email does nothing to stop it from cheerfully explaining how to build a weapon — or vice versa. The confusion is upstream of the tooling. "Guardrail" names at least three different jobs, and the three most-installed open-source projects in this space each do exactly one of them well.

The useful way to read them is by which layer of a request they sit on. One checks the shape of a single output. One governs the arc of a whole conversation. One judges the safety of a message's content. They are not competitors. Comparing them as if you pick a winner is a category error — the production answer is usually all three, in a specific order.

The output validator

guardrails-ai/guardrails
A Python framework that validates and corrects a single LLM output against composable "validators" — schema, PII, toxicity, topic, competitor mentions — with a 50+ validator Hub
★ 7kPythonguardrails-ai/guardrails

Guardrails AI operates on one unit: a single model response, on its way out. You declare what a valid output looks like — matches this Pydantic schema, contains no PII, stays on topic, mentions no competitor — and it runs the response through a pipeline of validators, each of which can pass, fix, or reject. The Hub of 50+ pre-built validators is the real draw; most of what you want to assert about an output already exists as a drop-in.

The tell is the granularity. This is output enforcement, not conversation management — it has no opinion about what was said three turns ago, only about whether this response is well-formed and clean. That makes it the natural fit when the model must return structured, trustworthy data: the JSON your downstream code will parse, the answer that must not contain a phone number. Reach for it when your failure mode is "the output was malformed or said something it shouldn't." It is the wrong tool for "the conversation went somewhere it shouldn't."

The conversation router

NVIDIA/NeMo-Guardrails
An NVIDIA toolkit for adding programmable rails to LLM apps — define allowed topics, dialogue flows, and actions in the Colang DSL, enforced across input, dialog, and output stages
★ 6.5kPythonNVIDIA/NeMo-Guardrails

NeMo Guardrails operates on the whole exchange. You write rails in Colang, a small DSL for describing conversation: which topics are in bounds, what the bot should do when a user steers off them, when to invoke a tool, what canonical responses to fall back to. Instead of judging one output, it governs the flow — input rails, dialog rails, and output rails as distinct stages around the model.

That programmability is the reason to choose it and the reason it costs more to adopt. Colang is genuinely expressive — you can encode "if the user asks about anything outside banking, politely decline and offer the three things we do handle" as a rule rather than as a prayer in the system prompt — but it's another language and another mental model to maintain, and latency tracks the complexity of your rails. This is the layer you want when the risk lives in the trajectory of the dialogue, not in any single message: topical containment, multi-turn policy, controlled tool use.

The content classifier

meta-llama/PurpleLlama
Meta's LLM-security toolset; its Llama Guard models are open-weight classifiers that label a prompt or response safe/unsafe with a taxonomy of harm categories
★ 4.2kPythonmeta-llama/PurpleLlama

Llama Guard, shipped inside Meta's PurpleLlama, is the odd one out — and the most composable. It isn't a framework at all; it's a model. You hand it a prompt or a response and it returns safe or unsafe plus a category code from a harm taxonomy (violence, self-harm, hate, and so on). Because it's open-weight, you can self-host it and keep moderation inside your own environment instead of shipping every message to a third-party safety API.

The other two decide what to check. Llama Guard is a thing you check with.

That's why it slots underneath the other two rather than against them. Guardrails AI can call it as a validator; NeMo can invoke it as an input or output rail. On its own it does one thing — content moderation of a single message — but it does it as a fast, swappable component. Use it when your concern is the substance of what's coming in or going out: jailbreak attempts on the way in, harmful generations on the way out.

The stack, not the showdown

Put the three on their layers and the "vs" dissolves. A serious production setup tends to look like a pipeline: Llama Guard as a quick content scan on the input, NeMo rails to keep the conversation in bounds and route tool use, Guardrails AI to validate the final output's format and content before it leaves. Each catches a class of failure the others structurally cannot — format, flow, and content are different debris in the same pipe.

So the question isn't "which guardrail library wins." It's "which layer am I currently unprotected on?" If your bot returns malformed JSON, no content classifier will save you. If it wanders off-topic into your competitor's product, no output schema will catch it. If it answers a harmful request in perfectly valid JSON, your validator waves it right through. Decide what you're actually guarding — the shape, the path, or the substance — and the choice stops being a popularity contest. Guarding outputs pairs naturally with evaluating them and with keeping the agent off paths it shouldn't take at all; guardrails are the runtime half of the same discipline.