SingGuard-NSFA: an open-source guardrail built for agent execution, not just content
Ant Group open-sourced a guardrail family that screens an agent's requests and actions before they run — 185 threat scenarios, 133 languages, and ~50 ms classification latency.
What is this?
On July 12, 2026, Ant Group’s AI Security Lab announced the open-source release of SingGuard-NSFA, a guardrail model family aimed at a gap most safety classifiers leave open: the behavior of an autonomous agent, not just the text it generates. Where a conventional content-safety filter asks “is this output harmful?”, SingGuard-NSFA is designed to sit in the request path and validate an agent’s incoming instructions and outgoing actions before a tool call or shell command executes. The project ships four models — 0.8B, 2B, 4B, and 9B parameters, all built on Qwen3.5 backbones — under an open-source license on GitHub and Hugging Face.
The framing matters because the threat model has moved. As open-source agent frameworks such as OpenClaw popularized “one-click deployment” and full-stack autonomy, they also normalized agents that read untrusted content and then act on it. The OWASP Top 10 for Agentic Applications 2026 now formally lists goal hijacking, tool misuse, malicious code execution, and identity-and-privilege abuse as first-class risks — behavioral failures that output moderation alone was never built to catch.
How it works
SingGuard-NSFA is organized around the NSFA risk taxonomy, which maps threats onto the classic confidentiality-integrity-availability triad and enumerates 185 operational threat scenarios across seven top-level categories. Five cover query-side threats — prompt injection and jailbreaks, malicious-code and cyberattack requests, sensitive-information theft, dangerous operations and tool abuse, and resource abuse — and two cover response-side threats: hazardous action generation and sensitive-information leakage. Ant Group says the taxonomy was cross-validated against three OWASP guidelines.
The models run in two modes. A generative mode emits a chain-of-thought analysis grounded in the taxonomy followed by a structured verdict, intended for audit trails and human review. A real-time classification mode takes the last-token embedding from a single forward pass and routes it into lightweight per-domain heads that fire in parallel; the project reports per-sample latency of 45–57 ms, low enough to sit inline in front of a production agent. Backbone training uses chain-of-thought supervised fine-tuning with explicit boundary tags wrapping external text — a deliberate step to stop injected instructions in retrieved content from steering the classifier’s own analysis.
One design choice stands out for practitioners: the taxonomy is extensible without retraining. A team can train a small classification head on the frozen backbone’s embeddings and plug it in for a new risk category, and the developers report the pipeline stayed within its latency budget even at tens of thousands of heads. The same heads reportedly transfer to other guardrails — bolted onto Llama Guard 3, the combined system gained 17.6 F1 points on the project’s multilingual query benchmark.
Why it matters
Two things make this release worth a defender’s attention. First, it targets the right layer. Most deployed guardrails are content classifiers positioned at model output; an agent that has already been steered into calling a dangerous tool is not helped by a filter that only reads the final text. A pre-action check on requests and proposed actions is closer to where agent harm actually happens.
Second, the multilingual breadth is unusual. The reported benchmark spans 133 languages with nearly 100,000 test samples, and includes a cross-source evaluation set adapted from public agent-security datasets — AgentDojo, InjecAgent, and AgentHarm. Multilingual and obfuscated inputs are a well-documented blind spot for English-centric guardrails, so coverage at this breadth, if it holds up, addresses a real evasion surface.
The appropriate caution: the performance figures — F1 above 94% across the four models, the 0.8B model rivaling 8B competitors, a 9B content-safety head within one F1 point of WildGuard and GPT-5.1 — are vendor-reported benchmarks, not independent evaluations. Guardrail leaderboards are notoriously sensitive to test-set construction, and prior research has repeatedly shown production guardrails failing under adaptive attacks they were never benchmarked against. Treat the numbers as a starting hypothesis to verify on your own traffic, not a settled result.
Defenses
For teams evaluating this or any agent guardrail, a few concrete practices:
- Place the check before the action, not only after the text. The value here is pre-execution interception of tool calls and shell commands. Wire the guardrail into the approval path so a flagged request blocks the action, and log the generative-mode rationale for audit.
- Keep the guardrail as one layer, never the only one. A model-based classifier is probabilistic and bypassable. Pair it with deterministic controls — least-privilege tool scoping, allowlisted commands, network egress limits, and human approval for high-impact actions — so a single evasion does not equal a breach.
- Re-benchmark on your own languages and tools. Vendor F1 scores rarely survive contact with a specific deployment. Build a small red-team set from your real tool surface and the languages your users actually speak, and measure false negatives before trusting inline blocking.
- Watch the latency-versus-coverage trade. The 45–57 ms classification mode is cheap; generative mode is not. Reserve chain-of-thought analysis for audit and escalation, and load-test the inline path under realistic concurrency.
- Verify provenance before you deploy weights. Pull the models from the official repository, pin versions, and treat any third-party mirror as untrusted supply chain.
Status
| Item | Value |
|---|---|
| Type | Open-source agent guardrail framework (defensive tooling) |
| Publisher | Ant Group AI Security Lab (project org: inclusionAI) |
| Models | 0.8B / 2B / 4B / 9B, Qwen3.5 backbones |
| Taxonomy | NSFA — 185 threat scenarios, 7 categories, CIA-triad organized |
| Modes | Generative CoT verdict; real-time classification (~45–57 ms/sample) |
| Benchmark | 133 languages, ~100k samples; cross-source from AgentDojo, InjecAgent, AgentHarm |
| Reported result | F1 >94% across models; +17.6 F1 when added to Llama Guard 3 (vendor-reported) |
| Availability | GitHub (inclusionAI/SingGuard-NSFA) and Hugging Face, open source |
| Announced | July 12, 2026 |
Key dates: July 12, 2026 — open-source release announced by Ant Group’s AI Security Lab; coverage followed July 13–15 (TechNode, Help Net Security). The release builds on the lab’s earlier OpenClaw security audits and the April 2026 ClawAegis plugin (with Tsinghua University). Performance claims are those stated by the project and have not been independently verified at the time of writing.
Sources
- → https://www.businesswire.com/news/home/20260712722454/en/Ant-Group-Open-Sources-SingGuard-NSFA-to-Establish-New-Security-Paradigms-for-Autonomous-AI-Agents
- → https://www.helpnetsecurity.com/2026/07/15/singguard-nsfa-open-source-agentic-ai-guardrails/
- → https://technode.com/2026/07/13/ant-group-unveils-ai-safety-models-for-agents-and-multimodal-systems/
- → https://github.com/inclusionAI/SingGuard-NSFA
- → https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/