AWS launches InvokeGuardrailChecks API for per-request safety controls in AI agents

AWS launches InvokeGuardrailChecks API for per-request safety controls in AI agents

Amazon Web Services launched the InvokeGuardrailChecks API for Amazon Bedrock Guardrails, enabling developers to apply individual safety checks at any point in agentic AI applications without provisioning guardrail resources.

The API operates in detect-only mode and returns numeric scores for each safeguard on a discrete 0-1 scale with values of 0, 0.2, 0.4, 0.6, 0.8, or 1.0. Developers can define custom thresholds and actions—block, bypass, retry, or log—based on their application requirements.

How it works

The API addresses a specific operational problem in multi-turn agentic workflows. Traditional guardrails require developers to create separate guardrail resources for each stage of an agent loop. In a single user session with 20 turns, this could mean 40 guardrail lifecycle operations (create-invoke-delete) for input and output checks at each step.

The InvokeGuardrailChecks API is resourceless—no CreateGuardrail step, no guardrail IDs to track, and no versions to manage. Developers specify which safeguards to run directly in each API request using a structured messages schema with role labels (system, user, or assistant).

The API supports three safeguard types:

• Content filters: Detects harmful content across categories including HATE, VIOLENCE, SEXUAL, INSULTS, and MISCONDUCT. Returns severity scores.
• Prompt attack detection: Identifies jailbreaks, prompt injection, and prompt leakage attempts as standalone checks, separate from content filters. Returns severity scores.
• Sensitive information filters: Detects 31 PII entity types including email, phone, SSN, and credit card numbers. Returns confidence scores.

Each finding includes messageIndex, contentIndex, and character offsets (beginOffset, endOffset) for precise location within the content.

Detect-only mode

Unlike traditional guardrails, the API doesn't block, mask, or rewrite content. It returns findings with numeric scores, and developers implement their own logic. This allows context-aware decisions: blocking high-confidence threats (score > 0.8), routing ambiguous findings (0.4-0.6) to human review, or logging low-confidence results for audits.

The API uses symmetric request-response—only the safeguards specified in the request appear in the response, making it straightforward to map findings back to their source checks.

IAM requirements

Because the API is resourceless, there's no guardrail ARN to scope. Developers attach an identity-based IAM policy with bedrock:InvokeGuardrailChecks permission on Resource: "*".

What this means

This API addresses a real operational bottleneck in production agentic systems. The resourceless model eliminates guardrail lifecycle management overhead that scales poorly with agent complexity. The detect-only mode gives developers control over safety thresholds rather than forcing one-size-fits-all blocking policies. For teams running hundreds of agents with varied risk profiles per turn, this reduces both infrastructure complexity and false positive rates from overly conservative default thresholds.