GLiGuard: Scaling AI Safety with High-Efficiency Small Language Models

As AI agents transition from simple chatbots to autonomous entities capable of browsing the web and executing code, the risk profile of LLM deployments has shifted. The stakes are no longer just about offensive text; they are about preventing real-world harm. To mitigate these risks, developers rely on guardrails—safety layers that sit between the user and the model to filter malicious prompts and harmful responses.

Historically, state-of-the-art (SOTA) guardrail models have been built on large decoder-only transformer architectures. While flexible, these models treat safety moderation as a text generation task, which introduces significant latency and cost. Pioneer AI has addressed this inefficiency with the release of GLiGuard, a 300 million parameter model designed to prove that effective safety moderation does not require billions of parameters.

The Bottleneck of Decoder-Based Guardrails

Most current guardrail models (such as LlamaGuard or ShieldGemma) operate autoregressively. They generate a safety verdict one token at a time, mirroring the way a standard LLM generates a chat response. This approach has three primary drawbacks:

1. Sequential Latency: Because generation is sequential, it is inherently slower than classification.
2. Computational Cost: Models ranging from 7B to 27B parameters require substantial GPU resources, making them expensive to scale in production.
3. Compounding Delay: Safety moderation often requires checking multiple dimensions (e.g., is this a jailbreak? is there PII? is it hate speech?). In a decoder model, these assessments are typically performed one after another, compounding the latency for every additional safety criterion evaluated.

A New Approach: Reframing Moderation as Classification

GLiGuard departs from the decoder-only trend by utilizing a small encoder-based architecture. Instead of generating a text response to describe the safety status, GLiGuard reframes moderation as a text classification problem.

By encoding the input text and the task definitions (labels) together, the model can score every safety label simultaneously in a single forward pass. This means that evaluating five different safety dimensions takes the same amount of time as evaluating one.

Four Concurrent Moderation Tasks

GLiGuard evaluates four critical safety dimensions in a single pass:

• Safety Classification: A binary check (safe/unsafe) applied to both incoming prompts and outgoing responses.
• Jailbreak Strategy Detection: Identification of 11 specific strategies, including prompt injection, roleplay bypass, and social engineering. Any detected strategy automatically flags the prompt as unsafe.
• Harm Category Detection: Classification across 14 categories, such as violence, sexual content, PII exposure, and copyright violations. Multiple categories can be triggered by a single input.
• Refusal Detection: Determining if the model complied with or refused a request. This is vital for measuring "over-refusal" (where a model rejects safe prompts) and detecting "false compliance."

Performance: Accuracy vs. Efficiency

To validate GLiGuard, Pioneer AI tested the model against six major decoder-based guard models, including LlamaGuard4 (12B), ShieldGemma (27B), and NemoGuard (8B).

Accuracy Benchmarks

Despite being 23 to 90 times smaller than its competitors, GLiGuard's accuracy is comparable to the current SOTA:

• Prompt Classification: Achieved an average F1 score of 87.7, trailing the best model (PolyGuard-Qwen) by only 1.7 points.
• Response Classification: Achieved an average F1 of 82.7, second only to Qwen3Guard-8B.
• Competitive Edge: It outperformed LlamaGuard4-12B and ShieldGemma-27B, demonstrating that the classification ability required for safety can be captured in a much more compact architecture.

Speed and Throughput

The architectural shift to an encoder-based model yields dramatic efficiency gains on a single NVIDIA A100 GPU:

• Throughput: Up to 16.2x higher throughput (133 vs. 8.2 samples/s at batch size 4).
• Latency: Up to 16.6x lower latency (26ms vs. 426ms for a sequence length of 64).

Training and Deployment

GLiGuard was trained using a mixture of human-annotated data (via the WildGuardTrain dataset) and synthetic data generated by GPT-4. To resolve early training struggles with fine-grained distinctions—such as the difference between toxic speech and violence—the team used Pioneer to generate supplemental synthetic edge cases.

The model was developed by fine-tuning the GLiNER2-base-v1 checkpoint for 20 epochs using the AdamW optimizer.

Conclusion

For developers building agentic AI, guardrails are not optional; they are critical infrastructure. However, the latency penalty of large decoder models often creates a friction point in user experience. GLiGuard demonstrates that by shifting from generation to classification, developers can achieve SOTA-level safety moderation with a fraction of the computational overhead.

Available under the Apache 2.0 license on the Hugging Face Hub, GLiGuard provides a practical, open-source path for teams to deploy high-performance safety layers without requiring massive infrastructure investment.