From Risk Classification to Action Plan Remediation: A Guardrail Feedback Driven Framework for LLM Agents

Researchers introduce TRIAD, a guardrail framework for LLM agents that uses iterative feedback to guide safer behavior rather than simply blocking risky tasks. By classifying risks as proceed, refuse, or update with structured guidance, the system reduces attack success rates to 10.42% while maintaining utility for benign task completion.

The development of TRIAD addresses a critical gap in AI safety infrastructure. Traditional guardrails operate as binary gatekeepers—flagging entire tasks as unsafe and blocking execution entirely. This approach sacrifices utility when malicious content contaminates otherwise legitimate requests. TRIAD reimagines guardrails as collaborative guides, generating natural-language feedback that allows agents to revise plans and isolate harmful components while preserving benign objectives.

This research responds to growing concerns about LLM agent reliability in production environments. As organizations deploy autonomous agents for increasingly complex tasks, the risk of prompt injection attacks, unsafe tool usage, and instruction-following failures escalates. Previous guardrail evaluations rarely measured downstream behavioral impact, leaving unclear whether safety interventions actually improve real-world agent performance.

TRIAD's closed-loop architecture represents a meaningful shift in AI safety philosophy. By integrating feedback directly into the agent's planning context, the framework enables iterative refinement rather than crude rejection. The self-curated training dataset and comprehensive testing on ASB and AgentHarm benchmarks demonstrate substantial improvement—reducing attack success rates while maintaining task completion capability. This balanced safety-utility trade-off holds significant implications for enterprises deploying autonomous systems in regulated industries.

The framework's open-source release accelerates adoption across the AI development community. As LLM agents become foundational infrastructure for enterprise applications, guardrail mechanisms directly influence deployment confidence and regulatory compliance. Future work should examine scalability across diverse agent architectures and real-world attack vectors beyond current benchmarks.

• →TRIAD reduces attack success rates to 10.42% using iterative feedback instead of binary blocking mechanisms.
• →The framework introduces three decision types—proceed, refuse, update—enabling agents to revise unsafe plans while preserving benign task completion.
• →Guardrail feedback integrates directly into agent planning loops, creating alignment between safety constraints and downstream behavior.
• →Comprehensive testing on ASB and AgentHarm benchmarks demonstrates superior safety-utility trade-offs compared to existing guardrail approaches.
• →Open-source code release enables wider adoption and validation of feedback-driven safety mechanisms in production LLM agent systems.