Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for SingGuard-NSFA Brings Open Guardrails to AI Agents

SingGuard-NSFA Brings Open Guardrails to AI Agents

Ant Group open-sourced SingGuard-NSFA under Apache 2.0 — four guardrail models covering 185 threat scenarios across 133 languages, free to download.

Kai Aegis
Kai AegisJul 16, 20264 min read

SingGuard-NSFA is a family of open-source guardrail models that inspects what an AI agent is about to *do*, not just what it says. Ant Group's AI Safety Lab released it under Apache 2.0 — models, benchmarks, and taxonomy — and the distinction between behavioral and textual moderation is the point worth understanding.

  • Four model sizes — 0.8B, 2B, 4B, and 9B, built on Qwen3.5, all Apache 2.0 licensed
  • 7 primary risk domains and 185 threat scenarios, from prompt injection to tool abuse to resource abuse
  • ~45-57 ms per sample real-time classification on the 9B model
  • Public NSFA Benchmarks — roughly 100k samples spanning 133 languages

Why Behavioral Guardrails Beat Text Filters

Most content moderation asks whether generated text is acceptable. That framing breaks down the moment an agent can execute things, because the dangerous output is not a sentence — it is an API call.

SingGuard-NSFA instead inspects the agent's behavior at runtime: it analyzes incoming requests and validates responses *before* the agent is permitted to act. The taxonomy reflects that shift. Seven primary risk domains cover prompt injection and jailbreaks, malicious code and cyberattack, sensitive information stealing, dangerous operations and tool abuse, resource abuse, hazardous action generation, and sensitive information leakage — broken out into 185 specific threat scenarios.

Notice that half those categories have no textual signature at all. "Resource abuse" and "tool abuse" are patterns of action. You cannot regex your way to catching them.

Can You Actually Run It in Production?

Latency is the question that kills most guardrail deployments, and the numbers here are reasonable. The 9B model classifies in roughly 45-57 ms per sample — the project's GitHub repository gives that range, while press coverage rounds it to "about 50 ms." We'd cite the repo.

The four-size ladder matters more than it looks. At 0.8B, you can put a guardrail inline on a latency-sensitive path where a 9B model would be untenable. At 9B, you get the full taxonomy for workloads that can absorb the cost. Teams following our AI security coverage will recognize this as the same design logic behind tiered runtime tooling like AgentMon's agent guardrails.

Ant reports it is already running in Alipay AI Pay and its AQ healthcare app — production deployment at meaningful scale, which is a stronger signal than a benchmark table.

The Benchmarks Are the Quiet Contribution

Alongside the models, Ant published the NSFA Benchmarks: NSFA-Query-Multilingual (63,431 samples), NSFA-Response-Multilingual (29,972), and NSFA-CrossSource-Query (3,435). Roughly 100,000 samples across 133 languages.

That multilingual span is the part the industry needed. Guardrails that work in English and fold in Vietnamese are a well-documented failure mode, and until now there was no shared yardstick for measuring it. A public benchmark lets everyone — including Ant's competitors — find their own gaps.

Models are on GitHub, Hugging Face, and ModelScope. Apache 2.0 means you can deploy, modify, and ship it commercially. Alongside open defensive tooling like Rustinel's Rust-based EDR, it is a good week for security teams who'd rather download than procure.

Sources: TechNode — July 13, 2026; FF News — July 13, 2026; Open Source For You — July 15, 2026; GitHub — SingGuard-NSFA — July 2026.

More Ai Security Stories

AI Security

GPT-Red: OpenAI's AI Red-Teamer Cuts Injection Fails

OpenAI built GPT-Red, an automated red-teaming model, then used it to harden GPT-5.6 Sol to 6x fewer prompt-injection failures than GPT-5.5.

Kai Aegis
Kai AegisJul 16, 20265 min read
AI Security

AgentMon 3 Gives AI Agents Self-Refining Guardrails

Codenotary's AgentMon 3, out July 7, learns each org's normal AI-agent behavior and auto-tunes runtime policies, cutting manual upkeep up to 80%.

Kai Aegis
Kai AegisJul 15, 20265 min read
AI Security

Sophos Fusion Unifies Security Tools With Agentic AI

Sophos launched Fusion on July 15 — an AI-native platform that unifies endpoint, SIEM, identity, and network tools with shared threat intel.

Kai Aegis
Kai AegisJul 15, 20266 min read