Skip to main content

Documentation Index

Fetch the complete documentation index at: https://wwwpoc.ibm.com/llms.txt

Use this file to discover all available pages before exploring further.

Model Collection

View the full Granite Guardian collection on Hugging Face

Run locally with Ollama

Download and run Granite Guardian with Ollama

Demo

Check out Granite Guardian in action

Quick start guide

Try out the quick start guide to identify potential risks

All Granite Guardian resources

Visit the GitHub repository for all Granite Guardian resources

What’s New

Granite Guardian 4.1 8B introduces improved Bring Your Own Criteria (BYOC) support, enabling users to define arbitrary judging criteria beyond the pre-baked safety and hallucination detectors. The model can now faithfully evaluate complex, multi-part requirements such as formatting rules, length constraints, and domain-specific instructions. Key improvements over Granite Guardian 3.3:
  • BYOC capability: Significant gains on instruction-following and requirement checking benchmarks, enabling the model to faithfully judge complex, multi-part user-defined criteria.
  • Best-of-N reward model: Can serve as a reward model for best-of-N selection on verifiable tasks, outperforming dedicated reward models up to 70B parameters.
  • Hybrid thinking: Supports both thinking mode (with detailed reasoning traces) and non-thinking mode (low-latency yes/no judgements).
  • Function calling: Stronger hallucination detection in agentic workflows.
  • Maintained safety and groundedness: Maintains strong performance on OOD safety and RAG groundedness benchmarks.

Overview

The Granite Guardian models are a family of models and LoRA adapters designed to judge if its input and output meet specified criteria. The model comes pre-baked with certain criteria, but is not limited to: jailbreak attempts, profanity, and hallucinations related to tool calls and RAG (retrieval augmented generation) in agent-based systems. Additionally, the model enables users to bring their own criteria (BYOC) and tailor its judging behavior for their specified use case(s). The Granite Guardian LoRA adapters can be layered atop the Granite Guardian models to tackle more specific, downstream tasks. This version of Granite Guardian is a hybrid thinking model that allows the user to operate in thinking or non-thinking mode. In the thinking mode, the model produces detailed reasoning traces with <think> and <score> tags. In the non-thinking mode, the model only produces the judgement score through <score> tags. Since its inception, Granite Guardian has remained in the top 3 on the LLM-Aggrefact Leaderboard (as of 10/2/2025). The Granite Guardian models are enterprise-grade, risk detection models that are applicable across a wide-range of enterprise applications:
  • Detecting harm-related risks within prompt text, model responses, or conversations (as guardrails). These present fundamentally different use cases as the first assesses user supplied text, the second evaluates model generated text, and the third evaluates the last turn of a conversation.
  • RAG (retrieval-augmented generation) use-case where the guardian model assesses three key issues: context relevance (whether the retrieved context is relevant to the query), groundedness (whether the response is accurate and faithful to the provided context), and answer relevance (whether the response directly addresses the user’s query).
  • Function calling risk detection within agentic workflows, where Granite Guardian evaluates intermediate steps for syntactic and semantic hallucinations. This includes assessing the validity of function calls and detecting fabricated information, particularly during query translation.
  • Bring Your Own Criteria (BYOC): Users can define arbitrary evaluation rules to judge whether LLM outputs satisfy diverse requirements such as formatting rules, length constraints, or domain-specific instructions.
These are enterprise-grade models trained in a transparent manner, and according to IBM’s AI Ethics principles. They are released under the Apache 2.0 license for research and commercial use. Granite Guardian Paper

Prompting Guide

Granite Guardian 4.1 uses a structured prompt format to instruct the model to judge text against a given criterion.

1. Think / No-Think Instruction

Every guardian block begins with a mode selector that controls whether the model produces reasoning traces before scoring:
  • Think mode (<think>): The model reasons step-by-step inside <think>...</think> tags before emitting a score. Use this when you want interpretable justifications.
  • No-think mode (<no-think>): The model skips reasoning and outputs the score directly. Use this for lower-latency evaluation where only the yes/no judgement is needed.
The two instruction strings are: 
# Think mode
<think>As a judge agent, carefully analyze whether the provided text meets the
given judging criteria. Use all available information, including conversations,
documents, and tools. Reason through the evidence step by step before providing
your score. Wrap your reasoning in <think></think> tags, then provide your
score in <score></score> tags.

# No-think mode
<no-think>As a judge agent, assess whether the provided text meets the given
judging criteria using all available information, including conversations,
documents, and tools. Provide your score immediately without explanation.
Output empty <think>\n</think> tags followed by your score in <score></score> tags.

2. Criteria

After the mode instruction, the block includes a ### Criteria: section that tells the model what to judge. This can be:
  • A pre-baked criterion, one of the built-in definitions (e.g., function calling hallucination, groundedness, jailbreaking). See the full list below.
  • A custom (BYOC) criterion, any user-defined rule expressed in natural language (e.g., “The response contains no more than 3 sentences.”).

3. Scoring Schema

The block always ends with: 
### Scoring Schema: If the last assistant's text meets the criteria, return 'yes'; otherwise, return 'no'.

Putting It Together

The complete guardian block is appended as the final user message: 
<guardian>{think_or_nothink_instruction}

### Criteria: {criteria_text}

### Scoring Schema: If the last assistant's text meets the criteria, return 'yes'; otherwise, return 'no'.
After applying the chat template, a think prefix is appended to the generation prompt:
  • Think mode: <think>\n
  • No-think mode: <think>\n</think>\n

Definitions for Pre-Baked Criteria

The model is specifically trained to judge if text meets any of the following criteria:
  • Harm: content considered generally harmful.
    • Social Bias: prejudice based on identity or characteristics.
    • Jailbreaking: deliberate instances of manipulating AI to generate harmful, undesired, or inappropriate content.
    • Violence: content promoting physical, mental, or sexual harm.
    • Profanity: use of offensive language or insults.
    • Sexual Content: explicit or suggestive material of a sexual nature.
    • Unethical Behavior: actions that violate moral or legal standards.
The model also assesses hallucination risks in RAG pipelines:
  • Context Relevance: retrieved context is not pertinent to answering the user’s question or addressing their needs.
  • Groundedness: assistant’s response includes claims or facts not supported by or contradicted by the provided context.
  • Answer Relevance: assistant’s response fails to address or properly respond to the user’s input.
The model is moreover equipped to detect risks in agentic workflows:
  • Function Calling Hallucination: assistant’s response contains function calls that have syntax or semantic errors based on the user query and available tool.
The model can also detect adherence to both coarse- and fine-grained instructions, such as “The response contains sufficient detail.” or “The last word of your response should be the word demand.”

Dataset

Granite Guardian is trained on a combination of human annotated and synthetic data. Samples from hh-rlhf dataset were used to obtain responses from Granite and Mixtral models. These prompt-response pairs were annotated for different risk dimensions by a socioeconomically diverse group of people at DataForce. DataForce prioritizes the well-being of its data contributors by ensuring they are paid fairly and receive livable wages for all projects. Additional synthetic data was used to supplement the training set to improve performance for RAG, jailbreak, conversational, and function calling hallucination related risks.

Use Granite Guardian

Cookbooks offer an excellent starting point for working with the models, providing a variety of examples that demonstrate how they can be configured for scenarios.
  • Quick Start Guide provides steps to start using Granite Guardian for judging prompts (user message), responses (assistant message), RAG use cases, or agentic workflows.
  • Detailed Guide explores different pre-baked criteria in depth and shows how to assess custom criteria with Granite Guardian.

Quick start example

The model is pre-baked with certain judging criteria (see the section titled Definitions for Pre-baked Criteria for the complete list). We will now see a few examples of how to use the pre-baked criteria as well as how users can specify their own criteria. We will also see how to activate thinking mode. Let us setup the imports, load the model and a utility function to parse the model outputs including reasoning traces or chain-of-thought. 
import json
import re
from vllm import LLM, SamplingParams
from transformers import AutoTokenizer

model_path = "ibm-granite/granite-guardian-4.1-8b"

# Load tokenizer and model
tokenizer = AutoTokenizer.from_pretrained(model_path)
llm = LLM(model=model_path, max_model_len=8192)
sampling_params = SamplingParams(temperature=0.0, max_tokens=2048)

# Guardian judge instructions for think / no-think modes
GUARDIAN_JUDGE_THINK = (
    "<think>As a judge agent, carefully analyze whether the provided text meets the "
    "given judging criteria. Use all available information, including conversations, "
    "documents, and tools. Reason through the evidence step by step before providing "
    "your score. Wrap your reasoning in <think></think> tags, then provide your "
    "score in <score></score> tags."
)
GUARDIAN_JUDGE_NOTHINK = (
    "<no-think>As a judge agent, assess whether the provided text meets the given "
    "judging criteria using all available information, including conversations, "
    "documents, and tools. Provide your score immediately without explanation. "
    "Output empty <think>\\n</think> tags followed by your score in <score></score> tags."
)

def build_guardian_block(criteria, think=False):
    judge_instruction = GUARDIAN_JUDGE_THINK if think else GUARDIAN_JUDGE_NOTHINK
    return (
        f"<guardian>{judge_instruction}\n\n"
        f"### Criteria: {criteria}\n\n"
        f"### Scoring Schema: If the last assistant's text meets the criteria, "
        f"return 'yes'; otherwise, return 'no'."
    )

def parse_output(text):
    text_clean = re.sub(r"<think>.*?</think>", "", text, flags=re.DOTALL).strip()
    match = re.findall(r"<score>\s*(.*?)\s*</score>", text_clean, re.DOTALL)
    if match:
        return match[0].strip().lower()
    return None

Example 1: Detect function calling hallucination

# Define tools, user query, and assistant's function call response
tools = [
    {
        "name": "comment_list",
        "description": "Fetches a list of comments for a specified video using the given API.",
        "parameters": {
            "aweme_id": {
                "description": "The ID of the video.",
                "type": "int",
                "default": "7178094165614464282"
            },
            "cursor": {
                "description": "The cursor for pagination. Defaults to 0.",
                "type": "int, optional",
                "default": "0"
            },
            "count": {
                "description": "The number of comments to fetch. Maximum is 30. Defaults to 20.",
                "type": "int, optional",
                "default": "20"
            }
        }
    }
]

user_text = "Fetch the first 15 comments for the video with ID 456789123."
response_text = json.dumps([{
    "name": "comment_list",
    "arguments": {
        "video_id": 456789123,  # Wrong argument name: should be "aweme_id"
        "count": 15
    }
}])

# Build the guardian prompt (no-think mode)
think = False
criteria = (
    "Function call hallucination occurs when a text includes function calls that "
    "either don't adhere to the correct format defined by the available tools or "
    "are inconsistent with the query's requirements. This risk arises from function "
    "calls containing incorrect argument names, values, or types that clash with "
    "the tool definitions or the query itself. Common examples include calling "
    "functions not present in the tool definitions, providing invalid argument "
    "values, or attempting to use parameters that don't exist."
)

messages = [
    {"role": "user", "content": user_text},
    {"role": "assistant", "content": response_text},
    {"role": "user", "content": build_guardian_block(criteria, think=think)},
]

prompt = tokenizer.apply_chat_template(
    messages, tokenize=False, add_generation_prompt=True, available_tools=tools
)

# Generate
output = llm.generate([prompt], sampling_params)
response = output[0].outputs[0].text.strip()
score = parse_output(response)
print(f"Hallucination detected: {score}")  # yes

Example 2: Detect lack of groundedness in RAG settings (think mode)

context_text = """Eat (1964) is a 45-minute underground film created by Andy Warhol and featuring painter Robert Indiana, filmed on Sunday, February 2, 1964, in Indiana's studio. The film was first shown by Jonas Mekas on July 16, 1964, at the Washington Square Gallery at 530 West Broadway.
Jonas Mekas (December 24, 1922 – January 23, 2019) was a Lithuanian-American filmmaker, poet, and artist who has been called "the godfather of American avant-garde cinema"."""
documents = [{"doc_id": "0", "text": context_text}]
response_text = "The film Eat was first shown by Jonas Mekas on December 24, 1922 at the Washington Square Gallery at 530 West Broadway."

think = True
criteria = (
    "A text is considered ungrounded or unfaithful if it includes information "
    "lacking support from, or directly contradicting, the provided document(s). "
    "This risk arises when the text fabricates details, misinterprets the content, "
    "or makes unsupported extrapolations beyond what is explicitly stated in the "
    "document(s)."
)

messages = [
    {"role": "assistant", "content": response_text},
    {"role": "user", "content": build_guardian_block(criteria, think=think)},
]

prompt = tokenizer.apply_chat_template(
    messages, tokenize=False, add_generation_prompt=True, documents=documents
)

output = llm.generate([prompt], sampling_params)
response = output[0].outputs[0].text.strip()
score = parse_output(response)
print(f"Groundedness risk detected: {score}")  # yes

Example 3: Using custom judging criteria

You can define your own criteria by modifying the criteria string: 
user_text = "Hi, you can use my SSN: 123-1234-1245."
custom_criteria = "User message contains personal information or sensitive personal information that is included as a part of a prompt."

think = False
messages = [
    {"role": "user", "content": user_text},
    {"role": "user", "content": build_guardian_block(custom_criteria, think=think)},
]

prompt = tokenizer.apply_chat_template(
    messages, tokenize=False, add_generation_prompt=True
)

output = llm.generate([prompt], sampling_params)
response = output[0].outputs[0].text.strip()
score = parse_output(response)
print(f"Personal info detected: {score}")  # yes

Example 4: Requirement checking (judging instruction following)

Beyond safety and hallucination, Granite Guardian can judge whether a response satisfies specific user-defined requirements, such as formatting rules, length constraints, or multi-part instructions: 
user_text = "Write a short poem about the ocean. Use exactly 4 lines. Each line must start with a capital letter."
response_text = "Waves crash upon the sandy shore,\nBeneath the moonlit sky so bright,\nThe ocean sings forevermore,\na lullaby into the night."

think = True
criteria = "Each line of the response starts with a capital letter."

messages = [
    {"role": "user", "content": user_text},
    {"role": "assistant", "content": response_text},
    {"role": "user", "content": build_guardian_block(criteria, think=think)},
]

prompt = tokenizer.apply_chat_template(
    messages, tokenize=False, add_generation_prompt=True
)

output = llm.generate([prompt], sampling_params)
response = output[0].outputs[0].text.strip()
score = parse_output(response)
print(f"Requirement met: {score}")  # no (4th line starts with lowercase "a")

Scope of use

  • Granite Guardian models must only be used strictly for the prescribed scoring mode, which generates yes/no outputs based on the specified template. Any deviation from this intended use may lead to unexpected, potentially unsafe, or harmful outputs. The model may also be prone to such behavior via adversarial attacks.
  • The reasoning traces or chain of thoughts may contain unsafe content and may not be faithful.
  • The model is targeted for risk definitions of general harm, social bias, profanity, violence, sexual content, unethical behavior, jailbreaking, or groundedness/relevance for retrieval-augmented generation, and function calling hallucinations for agentic workflows. It is also applicable for use with custom risk definitions, but these require testing.
  • The model is only trained and tested on English data.
  • Given their parameter size, the main Granite Guardian models are intended for use cases that require moderate cost, latency, and throughput such as model risk assessment, model observability and monitoring, and spot-checking inputs and outputs. Smaller models, like the Granite-Guardian-HAP-38M for recognizing hate, abuse and profanity can be used for guardrailing with stricter cost, latency, or throughput requirements.