Guardrails are live. Every chat completion, embedding, and image request now flows through a configurable safety pipeline before it reaches the provider — and the response flows back through it before it reaches the caller. No Enterprise paywall: every guardrail is available on every plan from day one.

What ships

Five guardrail providers, all in-path:

PII redaction — Microsoft Presidio. Detects and masks emails, phone numbers, SSNs, credit cards, names, addresses before the prompt leaves our infrastructure.
Prompt injection — heuristic + classifier detection on adversarial corpora. Blocks the request with a structured 400 when a known injection pattern is matched.
Keyword / regex blocklists — bring your own term list or regex. Useful for compliance words, competitor names, internal codenames.
Custom guardrails — point at any HTTP endpoint that returns { allowed: bool, redacted_text?: string }. We call it pre- and post-call.
Response scanning — same providers run on the assistant message before the caller sees it.

Scope hierarchy

Guardrails resolve key > team > org. The org default applies unless a team or virtual key overrides it. Per-request override is also supported via extra_body.nemo_guardrail_ids — pass an array of IDs to run only those for this call.

curl https://api.nemorouter.ai/v1/chat/completions \
  -H "Authorization: Bearer sk-nemo-..." \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gemini-2.5-flash",
    "messages": [{"role": "user", "content": "Email me at jane@example.com"}],
    "extra_body": { "nemo_guardrail_ids": ["pii-redact-default"] }
  }'

When a guardrail blocks, the response is a 400 with error.code = guardrail_violation and the offending guardrail ID — never a silent pass-through.

Configure guardrails at /{org}/guardrails. Audit hits at /{org}/observability.