16  Tools & Frameworks

Living document. This catalog covers tools prominent at the time of last review and is not exhaustive. The tooling landscape evolves rapidly — products are acquired, deprecated, or superseded, and new categories emerge as the attack surface grows. Entries will be updated each quarterly review. Maturity ratings reflect deployment track record, not capability claims.

What practitioners actually deploy. This catalog maps each tool to where it sits in the attack surface and rates it by maturity. The organizing question is placement: a guardrail at the input channel and an audit log at the action layer defend different things, and a stack is only as strong as its thinnest layer.

16.1 Where Tools Sit

Tool categories mapped onto the agent pipeline Input Model / agent Tools / env Action / output Guardrails NeMo · Llama Guard Guardrails / schema output validation Interpretability TransformerLens · SAEs Eval / red-team Inspect · AgentDojo · garak Provenance — C2PA · watermarking
Tool categories map onto distinct points of the agent pipeline; defense-in-depth means covering every point, not hardening one.

16.2 Guardrails & Runtime

Inline controls screening inputs, outputs, and actions at deployment — the L1/L5 layers of the defensive stack.

Tool Does Maturity
Llama Guard (Inan et al., 2023) LLM classifier scoring prompts/responses against a configurable harm taxonomy Production
NeMo Guardrails Programmable rails (topical, safety, execution) around an LLM app via a dialog/flow spec Production
ShieldGemma / Guardrails AI Open content-safety classifiers and a validation framework for structured/safe output Production
Constitutional Classifiers (Sharma et al., 2025) Classifiers trained on adversarial jailbreak variants against natural-language policies Emerging
Interface firewalls (Bhagwatkar et al., 2025) Dual-LLM / policy-model isolation so the primary model never sees raw untrusted content Research → early adoption

16.3 Evaluation Harnesses

Infrastructure for measuring safety and capability — the runnable side of Evaluation.

Tool Does Maturity
Inspect (UK AISI) Framework for building and running model evaluations, incl. agentic and dangerous-capability evals Production (institutional)
AgentDojo (Debenedetti et al., 2024) Dynamic benchmark for prompt-injection attacks/defenses on tool-using agents Research standard
Agent Security Bench (Zhang et al., 2025) Formalized attack/defense evaluation across agent operation stages Research standard
HELM (Liang et al., 2023) Multi-metric holistic evaluation across scenarios (accuracy, robustness, fairness, …) Established
lm-evaluation-harness Standardized capability benchmarking across many tasks/models De facto standard

16.4 Red-Teaming & Attack

Offensive tooling for probing systems before adversaries do — standing oversight rather than one-time testing.

Tool Does Maturity
garak Vulnerability scanner probing LLMs for jailbreaks, leakage, injection, toxicity Production
PyRIT Risk-identification framework for automating red-team attack generation against GenAI Production
Giskard Testing/scanning for ML and LLM apps (bias, robustness, injection) Production

16.5 Interpretability

The instrumentation behind Interpretability — turning mechanistic analysis into shared infrastructure.

Tool Does Maturity
TransformerLens Library for mechanistic-interpretability experiments (activation caching, patching, hooks) Research standard
Gemma Scope (Lieberum et al., 2024) Open suite of sparse autoencoders across every layer of an open model Research standard

16.6 Provenance & Content Authenticity

The ecosystem-governance tooling from Systemic Safety — keeping the information environment legible as synthetic content scales.

Tool Does Maturity
C2PA Open standard for cryptographically signed content provenance/edit history Emerging (industry adoption)
Watermarking toolkits Embed detectable statistical signals in model outputs for attribution Research → early deployment

16.7 Selection Notes

  • Match the tool to the layer, not the brand. A guardrail model and a sandbox defend different threats; deploying two tools at the same layer leaves others bare.
  • Maturity is a deployment gate. Production tools have stable interfaces and operational track records; research tools are validated in papers, not at scale.
  • Evaluation tooling is itself a control. Harnesses and red-team frameworks are how the other layers get verified; an unevaluated guardrail is an assumption, not a defense.