1. Introduction
Large Language Models (LLMs) are capable of performing complex tasks in daily life, spanning academic, personal, and professional domains. The widespread adoption of these models highlights the need for implementing security tools and layers, as integrating these models into sensitive environments increases the risk of unauthorized exposure of critical/sensitive data, whether personal or corporate [
1]. Among the existing risks are adversarial attacks, such as prompt injection and jailbreak, which aim to manipulate the behavior of a language model [
2]. This vulnerability stems from a fundamental architectural flaw: LLMs process both system instructions and user inputs through a unified natural language mechanism, lacking clear syntactic boundaries to separate trusted instructions from untrusted data [
2]. Because of the stochastic nature of generative AI, perfect prevention against sophisticated prompt injections remains unachievable through standard internal mechanisms, rendering these models inherently exploitable. Consequently, the consensus in the cybersecurity community emphasizes that relying solely on built-in model safety is insufficient; instead, defense-in-depth strategies involving external validation layers are strictly necessary to limit damage during inevitable breaches [
2].
Indeed, recent studies highlight that LLMs can inadvertently memorize and reproduce personal or sensitive information present in their training data, leading to severe privacy breaches [
3]. This friction between generative AI and data protection frameworks is exacerbated by the vast, almost universal scale of data processing required for machine learning [
4]. Because these models scrape nearly the entire internet for training datasets, they inevitably process personal data, creating a structural tension with fundamental privacy requirements such as the principle of data minimization [
4]. Furthermore, it has been proven that LLMs are able to memorize this training data and can reproduce it during user interactions, highlighting the urgent need for robust safeguards to prevent the unauthorized output of private information [
4]. These vulnerabilities are particularly critical during the inference phase, where adversaries exploit the model’s generative capabilities through prompt manipulation, often resulting in model misuse such as the generation of harmful content or data exfiltration [
5]. The threat landscape has evolved rapidly; adversarial strategies have shifted from basic natural language overrides to highly sophisticated, multi-stage indirect injections that exploit structured formats and integrated tools [
6]. These evolved adversarial tactics are capable of circumventing even advanced alignment mechanisms, such as reinforcement learning from human feedback (RLHF), demonstrating that models exhibit nuanced vulnerabilities and remain highly susceptible to complex contextual manipulations [
6]. Furthermore, the inherent opacity and black-box nature of Transformer-based models complicate direct interpretability and internal security [
3]. Consequently, the implementation of external defense layers, such as LLM guardrails—algorithms designed to validate input data and filter malicious outputs—has emerged as a crucial mitigation strategy to prevent model misuse without altering the underlying model parameters [
5].
Several studies have sought to address these threats through different approaches. Examples include comprehensive benchmarks for testing security flaws in user–LLM interactions [
7], security frameworks and real-time breach detection [
8], and robust datasets with a large number of samples of potential manipulation attempts [
9]. Therefore, despite the advances already achieved in LLM security, a significant gap remains to be filled: current models are susceptible to attacks, particularly in cases where they fail to correctly interpret the semantics of interactions [
10]. Furthermore, recent evaluations demonstrate that relying solely on dimension-specific internal tuning—such as fine-tuning exclusively for safety—often degrades the model’s performance in real-world settings [
11]. This isolated alignment increases the model’s sensitivity but reduces its robustness when dealing with complex queries that require balancing safety, value, and cultural dimensions simultaneously, leading to high false failure rates and spurious rejections of legitimate interactions [
11]. Therefore, focusing solely on identifying dangerous words or forcing internal safety alignment is insufficient to ensure robust protection without severely compromising the utility of the model.
In this regard, the present study proposes to evaluate a specific LLM trained to meet this demand: NVIDIA’s Llama-3.1-nemoguard-8b-content-safety. The model is evaluated strictly in its role as an LLM-Firewall, i.e., as an external security layer designed to protect user interaction with LLMs, and not as a general-purpose language model or a replacement for internal alignment mechanisms. Through the evaluation of this model, this study aims to characterize its efficacy in threat detection, presenting practical assessments of its performance. To this end, the Do Not Answer dataset was used, which contains 939 malicious user prompts. To complement this evaluation, another 939 benign prompts were synthetically created to balance the dataset. The evaluation conducted consisted of calculating binary classification metrics; analysis by risk categories; and calculating the model’s compensation rate, which corresponds to a new metric proposed in this work to measure the capacity of Llama-3.1-nemoguard-8b-content-safety to act as a second line of defense in cases where the model used to generate the response answers prompts it should not.
Following this Introduction, the article is organized into four sections.
Section 2 presents recent literature on LLM vulnerabilities and containment strategies, highlighting benchmarks and frameworks that support the scope of this work.
Section 3 describes the materials and methods used to conduct the experiments.
Section 4 presents the results obtained from the proposed methodology. Finally,
Section 5 synthesizes the main findings and suggests perspectives for future work.
2. Related Works
The widespread use of LLMs presents significant security-related challenges. Although effective and versatile, these models exhibit critical vulnerabilities that can lead to harmful consequences, such as sensitive data leakage, information manipulation, and adversarial attacks. Such vulnerabilities highlight the importance of research aimed at understanding, mitigating, and preventing these risks.
A key initial step in knowing the flaws of existing LLM alignments is an evaluation of security robustness across many different model families. A recent study [
12] mapped the vulnerabilities of models like Llama, Gemma, and Gemini to well-known security standards like MITRE ATLAS and the OWASP Top 10 for LLMs. Results demonstrate that models remain vulnerable to jailbreaking and indirect prompt injection even after internal safety tuning, and performance differences indicate that larger models are not always less susceptible to complex adversarial prompts. This evidence reinforces the need for defense strategies that operate independently of the model’s internal parameters. This external approach corresponds to the precise positioning of the guardrail layer evaluated in the present work.
The persistence of adversarial attacks in interactions with LLMs is a subject highlighted by [
13], exposing how prompt injection and jailbreak techniques exploit vulnerabilities and advocating for strict adherence to legal terms and ethical alignment as essential components of any security strategy. Complementarily, ref. [
14] propose the MASTERKEY framework, which, through response time analysis—inspired by blind SQL injection attacks—bypasses defense mechanisms in commercial chatbots and automates the generation of jailbreak prompts with a 21.6% success rate, evidencing the need for dynamic, multi-criteria security systems to effectively protect user–LLM interactions.
Furthermore, the threat of prompt injection extends beyond direct user-model interaction. Analyzes show indirect prompt injection (IPI)—attacks where malicious instructions are embedded in retrieved content (e.g., web pages or search results) and interpreted as code by the LLM during inference [
15]. This vector drastically expands the attack surface, allowing remote compromise of LLM-integrated applications, data leakage, and unauthorized API execution. The taxonomy proposed by the authors maps impacts including response manipulation, misinformation, and privilege escalation, demonstrating that conventional filters on the model’s input/output channel are insufficient. This finding directly motivates the evaluation of a second-layer semantic verification model, as proposed in this work.
Another system that automatically evaluates jailbreak prompts and classifies responses is presented by [
16] and is called JailbreakLens. It identifies which parts of the prompt have the greatest impact, extracting and organizing relevant keywords. The interface offers four views: case configuration, performance summary, component analysis, and term inspection, allowing real-time adjustment of security criteria. This focus on automated classification of adversarial inputs is methodologically aligned with the evaluation approach adopted in this study.
Ref. [
7] presents WALLEDEVAL, a security evaluation tool for LLMs that centralizes over 35 vulnerability benchmarks, including prompt injection and jailbreak tests. The framework also incorporates text mutators to assess model robustness against writing variations and enables the comparison of content moderator (or firewall) efficacy, such as WALLEDGUARD. The need for systematic firewall benchmarking highlighted by WALLEDEVAL supports the methodological motivation of the present work.
Garak [
8] is a tool that utilizes red-teaming, an active security testing methodology, to conduct security tests on LLMs. The system divides testing into four parts—generators, probes, detectors, and adjustments—and fires thousands of malicious questions to reveal flaws that would go unnoticed in fixed checklists, providing teams with a direct path to map weaknesses and prioritize fixes without requiring deep knowledge of offensive security. The logic of quantifying defense efficacy through objective metrics, as employed by garak, is consistent with the evaluation methodology adopted in this study.
Furthermore, ControlNet [
17] is presented as a firewall for RAG pipelines which, instead of searching for prohibited words, learns the internal “rhythm” of normal queries and detects when something out of the ordinary occurs. When the query or document deviates from the pattern, the system triggers an alert and corrects the route with a lightweight module, without retraining the model. Tests conducted with Llama-3, Vicuna, and Mistral show that it blocks over 90% of cases of espionage, leakage, unauthorized access, and content poisoning, keeping response quality practically intact. ControlNet’s behavioral approach complements the semantic classification strategy evaluated here, highlighting different dimensions of external defense layer design.
Complementing semantic evaluation tools, Mavani [
18] proposes the Autonomous AI Governance Framework (AAGF), which integrates deterministic sanitization layers into LLM data pipelines. A key contribution of this work is the Output Sanitation Layer (OSL), acting as a final “compliance gate” to enforce data privacy mandates such as GDPR and HIPAA in real-time.
Unintentional memorization of sensitive training material, which can be used by contextual privacy attacks trying to collect private information via specific prompt sequences, is a recurring problem in LLM security. In order to improve compliance with laws like the GDPR [
19], researchers have suggested selective forgetting (also known as scrubbing) and goldfish loss techniques, which enable models to “unlearn” particular data points or exclude sensitive tokens during training. Since these techniques focus on changing the model’s internal knowledge after its creation, they are frequently computationally expensive or impractical for large-scale production models. In contrast to these internal modification approaches, the present work evaluates a guardrail model as an additional, real-time inference-phase defense layer—a more flexible and deployable safeguard that does not require permanent modification of the base model.
Distributed environments also present unique privacy risks, as explored by FedShieldLLM [
20], which investigates privacy leakage in Federated Learning (FL) for LLMs. Despite the decentralized nature of FL, sensitive information can still be extracted through gradient-based attacks or unauthorized context propagation. The study introduces a detection and protection framework to mitigate these leaks during the training and inference phases. These findings underscore the broader relevance of robust filtering layers in multi-party settings, complementing the inference-phase defense evaluated in this work.
Automated frameworks such as APRT (Automated Progressive Red Teaming), which employs an Intention Hiding LLM to hide malicious intent within misleading prompts, have changed the security landscape. These progressive attacks effectively move beyond safety alignments in models like GPT-4o mini and Claude-3.5, as Jiang et al. [
21] shown. They suggested using the Attack Effectiveness Rate (AER) to assess these risks, highlighting the importance of robust semantic security layers that can intercept complex, context-dependent vulnerabilities.
The UDora framework [
22] demonstrates how adversaries can dynamically hijack an agent’s reasoning process by injecting targeted perturbations into its planning stages, effectively compelling the model to execute malicious actions or unauthorized tool invocations. These findings suggest that semantic firewalls may need to evolve beyond input/output monitoring—a limitation also acknowledged in the scope of the present evaluation.
RedAgent [
23] operates as an autonomous red-teaming system that adapts jailbreak attacks to the specific context of a target application by leveraging structured knowledge retrieval. The fact that this agent can compromise customized models within a few attempts demonstrates that static security barriers are often bypassed when attacks exploit the model’s own operational context. This scenario highlights the importance of evaluating semantic firewalls under targeted and adaptive attack conditions—a direction identified as a priority for future work in this study.
SafeGPT, a bidirectional guardrail system created to reduce sensitive data leakage and the production of harmful content in enterprise environments, was proposed by Desai et al. [
24]. Based on the idea of a comprehensive semantic firewall, this design combines output-side moderation and reframing with input-side detection and redaction. The bilateral structure of SafeGPT is conceptually related to the defense-in-depth configuration assessed in this work, where the guardrail model is positioned as a secondary layer over the base model’s responses.
The OpenRT [
25] framework identifies novel vulnerabilities specific to agentic workflows, such as chain-of-thought exploitation and tool-use manipulation. By automating the discovery of logic-based failures, this research demonstrates that traditional prompt filters are often insufficient when agents possess the agency to execute multi-step plans, highlighting a critical need for semantic firewalls that can monitor the entire reasoning trajectory.
Reinforcing the shift toward autonomous vulnerability discovery, Chimera-RL [
26] introduces an end-to-end framework that utilizes Reinforcement Learning (RL) to automate the generation of adversarial prompts. By optimizing an agent to maximize the probability of eliciting unsafe responses, Chimera-RL demonstrates superior efficiency in discovering edge-case failures compared to static or heuristic-based methods, highlighting a growing trend where defensive layers must not only withstand initial probes but also resist adaptive, multi-turn red-teaming agents.
Zhang et al. [
27] introduced a Secure Multi-Tenant Architecture (SMTA) and a Burn-After-Use (BAU) mechanism to prevent data leakage across departmental boundaries. While our evaluation focuses on semantic detection, the BAU protocol addresses contextual persistence by enforcing the automatic destruction of conversational artifacts and embeddings upon session termination, ensuring that sensitive data remains ephemeral and protected from post-session recovery or internal inference attacks.
Another necessary topic for this study is the creation of synthetic structured datasets. AEGIS 2.0, proposed by [
9], offers 34,248 samples of human-LLM interactions annotated according to a taxonomy of 12 risk categories and 9 subcategories, ranging from hate speech to criminal planning. The dataset combines benign and adversarial prompts with expected responses for each situation. Along with SafetyBench [
28], which gathers 11,435 multiple-choice questions in English and Chinese, distributed across seven security dimensions, such as toxicity, physical and mental health, privacy, and illicit activities, among others. By adopting prompts with more objective questions, the benchmark enables rapid and automatic evaluations of the models’ ability to recognize and refuse unsafe instructions, presenting a strong correlation with safe generation skills. Both datasets informed the design choices of the evaluation corpus used in this work, particularly the adoption of risk categories as the primary analytical dimension.
Despite the breadth of tools, benchmarks, and defense frameworks surveyed, a consistent gap emerges across the literature: the majority of existing evaluations focus either on the attack surface or on the primary model’s internal alignment, with limited attention to the performance of external guardrail layers as a second line of defense. Furthermore, most studies do not assess how these layers behave when the underlying model itself fails—that is, when internal alignment is insufficient and the firewall must serve as the last line of interception. The present work directly addresses this gap by evaluating Llama-3.1-nemoguard-8b-content-safety specifically in this secondary defense role, and by introducing a dedicated metric—the Compensation Rate—to quantify its added defensive value in precisely those failure scenarios.
4. Results and Discussions
In this section, the content safety model evaluation results in classifying prompts as safe or unsafe are presented. Classic binary classification metrics were used, by risk category, in addition to the analysis of the firewall capacity to compensate for potential GPT-4o mini failures.
4.1. Performance of the Guardrail Model in Prompt Classification
To evaluate the capacity of the model to correctly identify unsafe prompts, a quantitative analysis based on binary classification metrics was performed. The dataset used in this evaluation comprises 1878 examples involving both input classes (malicious prompts and benign prompts) organized into the 12 risk categories presented previously. The binary classification considered the label “unsafe” as positive, and the label “safe” as negative.
Figure 5 presents the confusion matrix with the respective predictions made by the content safety model in contrast with the actual labels.
It is observed in
Figure 5 that, of the 939 unsafe prompts, 51.97% (488) were correctly classified as unsafe (True Positives), while 48.03% (451) were incorrectly classified as safe (False Negatives). Of the 939 safe prompts, 97.02% (911) were correctly identified as safe (True Negatives) and only 2.98% (28) were classified as unsafe (False Positives). These values indicate a tendency of the model to prioritize safety but with a significant amount of false negatives.
Table 2 presents the results regarding the binary classification metrics. The accuracy of 74.49% indicates that the model correctly classifies about three-quarters of the prompts, reflecting satisfactory overall performance. The precision of 94.57% indicates that the safety layer is highly reliable when flagging prompts as unsafe, with few false positives. However, the sensitivity of 51.97% reveals that almost half of the unsafe prompts are not detected, highlighting a major limitation in the ability to identify all threats. The F1-Score of 67.08% reflects this imbalance, penalizing the model’s low sensitivity despite the high precision. These results suggest that the model tends to be more conservative, prioritizing the avoidance of false alarms over comprehensive risk detection.
The results suggest that the model is effective in applications where avoiding false positives is a priority, such as systems requiring high reliability in risk flagging. However, the moderate sensitivity highlights a vulnerability in critical security scenarios, where the detection of all unsafe prompts is essential. The F1-Score reinforces the need for model adjustments to improve the balance between precision and sensitivity.
It is important to highlight that these results stem from the inference of Llama-3.1-nemoguard-8b-content-safety based on its weights already defined during training by NVIDIA, and it is not possible to alter them. In critical application scenarios, where the LLM will be used to handle sensitive data, the sensitivity of the classifier is a severe factor for the security of user–LLM interaction.
4.2. Analysis by Risk Categories
The decomposition of performance by risk category, as measured by the F1-Score (
Figure 6), reveals a pronounced disparity in model efficacy based on content nature.
By establishing the global F1-Score (67.08%) as a comparative baseline, it becomes evident that the firewall’s overall reliability is degraded by specific vulnerabilities. While the model performs well in categories with explicit lexical patterns (e.g., Adult Content), a critical performance decay falls significantly below the aggregate threshold in domains requiring nuanced semantic interpretation or factual verification, notably Causing material harm by disseminating misinformation (12%) and Risks from leaking sensitive information (19%).
A significant frequency of False Negatives (FN) in high-complexity situations is identified by the individual confusion matrices (
Figure 7), which further clarify the reasons for the reduced F1-Scores. A clear pattern emerges across the grid: categories whose harmful intent relies on explicit, surface-level cues—such as
Adult Content (FP rate: 0%, near-perfect classification) and
Reducing the cost of disinformation campaigns (FN rate: 12.5%)—are reliably detected by the guardrail. In contrast, categories where harm depends on context, implied meaning, or factual plausibility rather than prohibited vocabulary show dramatically higher false negative rates. The most critical case is
Risks from leaking or inferring sensitive information (organization/gov), where 89.7% of harmful inputs were classified as safe—a failure consistent with the model’s limited ability to perform deep semantic inference. Prompts in this category often resemble legitimate questions about organizational or governmental matters, making their adversarial intent hard to distinguish from benign curiosity without broader context. A similar pattern appears in
Disseminating false or misleading information (FN rate: 87.0%) and
Causing material harm by disseminating misinformation, e.g., in medicine or law (FN rate: 93.7%), where the harm lies not in the prompt’s vocabulary but in its factual incorrectness or manipulative framing—dimensions that a classifier operating on prompt text alone cannot verify. Together, these three categories account for the majority of undetected threats and represent the most critical vulnerability zones in this evaluation. On the other hand, the low False Positive rates across all categories (global FP count: 28) confirm that the guardrail strongly prioritizes Precision (94.57%) to avoid false alarms, at a significant cost to Sensitivity (51.97%). This asymmetric error profile reflects a deliberate design trade-off in content safety classifiers: blocking a legitimate user (false positive) is treated as more disruptive than missing a subtle threat (false negative). While reasonable in low-stakes settings, this posture creates a meaningful security gap in high-risk deployments involving clinical, legal, or governmental data.
Figure 8 presents the distribution of classification errors—False Negatives (FNs) and False Positives (FPs)—across all 12 risk categories, considering the full augmented dataset of 1878 samples. For each category, the value of N corresponds to the total number of samples (both safe and unsafe) assigned to that category across the full dataset, and the percentage displayed within each bar segment indicates the proportion of that error type relative to N. For instance, in the
Risks from leaking or inferring sensitive information (organization/gov) category (N = 272), 122 samples were classified as False Negatives, corresponding to 44.9% of all samples in that category.
The distribution in
Figure 8 confirms that False Negatives constitute the dominant source of error across nearly all categories, consistent with the conservative classification behavior described in
Section 4.1. False Negative rates vary considerably: categories such as
Adult Content (N = 56, 8.9% FN rate) and
Reducing the cost of disinformation campaigns (N = 80, 6.2% FN rate) present the lowest error proportions, reflecting the model’s stronger ability to detect explicit or lexically salient threats.
In contrast, the Risks from leaking or inferring sensitive information (organization/gov) category (N = 272) exhibits the highest False Negative rate (44.9%), with 122 misclassified samples—approximately 27% of all 451 false negatives recorded globally. This result indicates that the firewall faces notable difficulty in identifying prompts involving potential sensitive information leakage from organizational entities, likely due to the implicit and context-dependent nature of such threats.
Similarly elevated FN rates are observed in Disseminating false or misleading information (N = 185, 43.2% FN rate) and Causing material harm by disseminating misinformation, e.g., in medicine or law (N = 126, 46.8% FN rate). These three categories together account for the majority of undetected threats and represent the most critical vulnerability zones identified in this evaluation.
Regarding False Positives, which total 28 samples (
Figure 5),
Figure 8 reveals a more uniform distribution, with consistently low rates across all categories. The
Assisting Illegal Activities category (N = 263) presents the highest FP proportion (12.0%), suggesting that the model may apply an excessively conservative threshold when classifying prompts of this type, even when benign. The remaining categories show considerably lower FP rates, confirming that the model rarely misclassifies safe prompts as unsafe, which aligns with its precision exceeding 94%.
These results indicate that the content safety model is less effective in categories involving misinformation and sensitive data leakage, where prompts tend to be more subtle or context-dependent. The elevated FN rates in these domains represent a meaningful risk in production environments, as they correspond precisely to scenarios where adversarial actors may exploit the model’s semantic blind spots to bypass the firewall undetected. On the other hand, the low rate of false positives reinforces the model’s reliability in avoiding false alarms, although targeted calibration of the classification threshold for high-risk categories may be warranted to reduce the residual false negative burden.
4.3. Compensation Rate Analysis
In addition to the direct analysis of prompts, the capacity of the guardrail model to act as a second line of defense, identifying unsafe prompts that GPT-4o mini failed to block, was evaluated. To this end, the Compensation Rate metric, proposed in this work, was used.
The model’s limited ability to act as an effective secondary defense layer is highlighted by the global Compensation Rate of 34.8% (intercepting 8 out of 23 failures). It should be noted that this result is based on a relatively small number of GPT-4o mini failures (n = 23). Nevertheless, the limited sample size of this subset constrains the statistical generalizability of the
CR, consequently, these findings should be interpreted cautiously as an initial reference point rather than a definitive benchmark from which broad conclusions can be drawn. Datasets involving less aligned base models would likely yield a larger failure pool for this analysis. Relying on the methodology’s visual distribution,
Figure 9 suggests that the firewall’s effectiveness is strongly domain-dependent. The guardrail system neutralizes five out of nine core model failures, showing its highest interception capacity in the Adult Content category. This is consistent with strong performance against explicit lexical trigger-driven threats.
On the other hand, the system’s ability to deal with subtle semantic nuances is severely limited. The most serious residual risk was identified in the Risks from leaking or inferring sensitive information (organization/gov) category, where five out of six malicious interactions were not detected by the firewall. Also, the model fails to reduce the cost of disinformation efforts in three out of five cases, highlighting its fragility against hazards related to disinformation. The remaining fifteen uncompensated failures, which are primarily concentrated in context-dependent hazard categories, represent a security risk. As a result, relying solely on global CR hides these particular limitations in the user–LLM interaction.
A contextual comparison with results reported in the literature for candidate guardrail models reveals a structurally significant contrast in the precision–recall trade-off. Llama Guard, evaluated at a fixed threshold of 0.5 on its internal test set, achieves an overall Precision of 90.0%, Recall of 86.7%, and F1 of 88.4% [
32]—a markedly more balanced profile than the one observed in this work, where
Llama-3.1-nemoguard-8b-content-safety achieves Precision of 94.57% at the cost of Sensitivity of 51.97%, as illustrated in
Table 3.
This pattern is the inverse of what is observed in the present evaluation, where the model systematically prioritizes Precision over Recall, particularly in semantically complex categories such as Risks from leaking or inferring sensitive information and Disseminating false or misleading information.
ShieldGemma, in turn, explicitly acknowledges an analogous conservative bias to the one identified in this work, noting that its interpretation of policy violations may be overly conservative and recommending that downstream clients adjust filtering thresholds based on their specific use cases [
33].
Taken together, these results suggest that the precision–sensitivity asymmetry observed in
Llama-3.1-nemoguard-8b-content-safety is not an isolated artifact, but rather positions the model within a broader spectrum of behavioral trade-offs exhibited by the current generation of LLM-based semantic guardrail classifiers—with Llama Guard occupying the permissive end and both NeMo and ShieldGemma occupying the conservative end of this spectrum [
32,
33].
5. Conclusions
This research provided an initial assessment of the role of semantic firewalls as a crucial layer in the security architecture of Large Language Models. By evaluating the NVIDIA Llama-3.1-nemoguard-8b-content-safety (NeMo Guardrails) against a balanced corpus of 1878 prompts from the “Do Not Answer” and synthetic datasets, we have characterized the current capabilities and inherent limitations of external alignment mechanisms.
The empirical results reveal a significant dichotomy in performance. On one hand, the firewall exhibited exceptional Precision (94.57%) and a remarkably low False Positive Rate (2.98%). These figures are relevant for industrial applications, as they indicate that the model can enhance security without compromising the usability of the system or inducing “refusal fatigue” in benign users. On the other hand, the recorded Sensitivity of 51.97% highlights a critical vulnerability: while the system is highly effective against explicit and “shallow” adversarial prompts, it struggles to identify more sophisticated, context-dependent threats. Our granular analysis by risk category showed that whereas categories like “Physical Harm” are easily intercepted, subtle threats such as “Sensitive Data Leakage” and “Sophisticated Misinformation” often bypass the semantic filters [
34,
35].
As an initial methodological contribution, this study introduced the Compensation Rate (
CR), an exploratory metric designed to estimate the defensive added value of a secondary guardrail layer. We note, however, that its application relied on limited data and requires validation across larger datasets to establish broader applicability. The achieved
CR of 34.8% provides a preliminary reference point for future evaluations of semantic firewalls, suggesting that Llama-3.1-nemoguard-8b-content-safety successfully mitigated over one-third of the safety alignment failures where the underlying model (GPT-4o mini) would have otherwise provided a hazardous response. This finding is consistent with the “Defense-in-Depth” strategy [
36], and lends support to the notion that security in the LLM era cannot rely solely on internal fine-tuning or RLHF, but must be supported by programmable, external layers that can be updated independently of the core model weights [
37].
Despite these contributions, the study acknowledges significant challenges. The dependency on English-centric training data and the fixed nature of the Llama-3.1-nemoguard-8b-content-safety model limit its adaptability to regional legal frameworks, such as the LGPD in Brazil. Additionally, the use of GPT-4o mini as both the synthetic data generator and the model under evaluation in the Compensation Rate analysis introduces a potential circularity: the benign prompts may carry stylistic biases from that model, which could influence the observed CR values. Future work should consider using independent models for data generation and response evaluation to mitigate this effect.
This limitation is further contextualized by prior work on LLM-based synthetic data generation. Li et al. [
30] demonstrated that the effectiveness of LLM-generated synthetic data is negatively associated with task subjectivity: for classification tasks requiring nuanced human interpretation—such as humor, sarcasm, or emotion detection—the diversity of synthetic data is significantly lower than that of real-world data, and the performance gap between models trained on synthetic versus real corpora widens considerably as subjectivity increases. Complementarily, Choi et al. [
31] showed that while GPT-generated text can serve as a practical augmentation tool in data-scarce settings, it falls short as a substitute for real data in fine-grained classification tasks—as synthetic outputs often capture only partial class-discriminative signals, enabling coarse-level distinctions but failing in more nuanced cases. The safety classification task evaluated in this work exhibits precisely this profile: categories such as
Disseminating false or misleading information (F1 = 0.23) and
Risks from leaking or inferring sensitive information (organization/gov) (F1 = 0.19) are inherently context-dependent and semantically subtle—placing them within the high-subjectivity regime where synthetic data diversity is most limited. It is worth noting that both Li et al. [
30] and Choi et al. [
31] evaluated synthetic data in a
classifier training context, whereas in the present work synthetic data are used for
classifier evaluation; nevertheless, their shared finding that LLM-generated data tends to be less representative precisely in subjective, context-dependent domains remains pertinent: a less representative benign class may underestimate the true false negative burden of the firewall in real-world deployments, where safe interactions are far more diverse and semantically varied than any single-model synthetic corpus can capture.
Looking forward, the most immediate priority for future work is a systematic comparative benchmark of guardrail models that serve the same functional role as Llama-3.1-nemoguard-8b-content-safety—namely, external semantic classifiers designed to act as a secondary defense layer in user–LLM interactions. Candidate systems for such a benchmark include Llama Guard 3, ShieldGemma, and the OpenAI Moderation API, among others. A rigorous head-to-head evaluation using a shared corpus—ideally extending the methodology proposed in this work—would contextualize the precision–sensitivity trade-off reported here and establish whether the conservative bias observed in Llama-3.1-nemoguard-8b-content-safety is a model-specific characteristic or a broader property of the current generation of semantic firewall classifiers. Such a benchmark would also provide a more grounded empirical basis for the Compensation Rate metric, allowing cross-model comparison of added defensive value in realistic defense-in-depth architectures.
Two structural obstacles condition any comparative benchmark between Llama-3.1-nemoguard-8b-content-safety and the candidate models Llama Guard and ShieldGemma.
The first is taxonomic: Llama Guard operates over 6 risk categories [
32], ShieldGemma over 6 primary harm types [
33], and the
Do Not Answer corpus over 12 categories distributed across 5 risk areas [
29]—with only partial overlap among the three taxonomies. As acknowledged in the Llama Guard paper itself, the absence of standardized taxonomies makes comparing different models challenging, as they were trained against different taxonomies [
32].
Similarly, ShieldGemma recognizes that direct comparison remains challenging due to variations in policy definitions and supported harm types across datasets, as well as inconsistencies in policy definitions even within the same harm type. Ref. [
33] Critical categories for this study, such as
Risks from leaking or inferring sensitive information (organization/gov)—which exhibits the highest false negative rate in our evaluation (44.9%)—and
Disseminating false or misleading information (43.2% FN rate), have no direct equivalent in the taxonomies of either candidate model.
The second obstacle is behavioral: evidence from the literature indicates that ShieldGemma shares an analogous asymmetric error profile, explicitly acknowledging that its interpretation of policy violations may be overly conservative, potentially interfering with helpfulness when used to filter LLM responses [
33]. Llama Guard, in turn, presents a distinct but equally significant limitation: as a fine-tuned LLM classifier, its performance is inherently bounded by its training taxonomy, and cross-taxonomy evaluation remains methodologically non-trivial, requiring zero-shot or few-shot prompting adaptations to generalize beyond its original policy [
32].
Together, both patterns suggest that the precision–sensitivity trade-off is not a characteristic specific to
Llama-3.1-nemoguard-8b-content-safety, but a structural property of the current generation of external semantic classifiers—whose origins may lie in the choice of training taxonomy, sensitivity to prompt templates, data, and the absence of threshold calibration accessible to the end user [
32,
33].
Beyond this, we propose a broader research agenda to address the remaining gaps identified in this study. First, we emphasize the need for a multilingual adversarial dataset to evaluate how cultural and linguistic nuances affect AI models. Second, future iterations should explore hybrid fine-tuning through LoRA (Low-Rank Adaptation), allowing organizations to customize the sensitivity of guardrails for specific industry-regulated categories. Ultimately, this work suggests a baseline approach for monitoring and auditing LLM firewalls, contributing to the safe and ethical deployment of generative AI.