01What exactly does this wrap — one chatbot, or every LLM call in the company?
One shared pipeline wraps every prompt and every response: applications declare a policy, and the same rails run for chat, RAG (answers grounded in retrieved documents), and agents — safety logic exists once, not re-invented per team — and the rails include topical bounds (keeping the conversation inside declared subject areas), not only harm screening.
02What happens to a prompt before the model ever sees it?
Input rails classify the prompt for injection and jailbreak attempts and detect PII, masking it before the prompt ever leaves our boundary for a model provider.
03The user pastes a document — is that treated like their own words?
No: pasted and retrieved content is data, never instructions — a retrieval rail scans it for embedded commands, because indirect injection rides in on documents, not on what the user typed.
04What happens to the model’s answer before the user sees it?
Output rails redact PII, classify the text against policy, and check grounding against the sources — an answer that leaks a phone number or invents a claim is caught before display, not after.
05The model wants to call a tool — does it just run?
Never directly: every tool call passes a gate — allowlist, schema-validated arguments, and a risk tier where destructive actions require explicit confirmation or a human.
06What does a blocked user actually see?
A safe, specific message with a retry or appeal path — and the decision is logged with detector scores and the policy version that made it, so a wrong block can be explained and fixed.