Dynamic Guardian: Adaptive Runtime Oversight
- Dynamic Guardian is a family of runtime safety filters that adapt policies, inputs, and uncertainty instead of relying on fixed static guardrails.
- It integrates various mechanisms including policy-conditioned models, OOD detection, advisory systems, and safety filters across diverse domains with low latency and high detection metrics.
- The approach shifts moderation from static enforcement to state-dependent intervention, enhancing performance in language moderation, control systems, and multi-agent collaboration.
Dynamic Guardian is a family of runtime safety and oversight mechanisms in which a guardian model, filter, or dynamical component adapts to policies, inputs, plans, trajectories, or state uncertainty rather than relying only on predefined static categories. In current arXiv usage, the term spans dynamic guardian models for user-defined policies, adaptive guardrails for novel jailbreaks, advisory guardians that preserve the base model’s original spec, mediator subagents for skill-file access, pre-execution plan auditors for agentic systems, temporal-graph anomaly detectors for multi-agent collaboration, and uncertainty-aware safety filters for control systems with neural network estimators (Hoover et al., 2 Sep 2025, Yang et al., 21 Sep 2025, Huang et al., 8 Apr 2026, Fujinuma et al., 1 Jun 2026, Huang et al., 10 Oct 2025, Zhou et al., 25 May 2025, Rober et al., 5 Feb 2026).
1. Conceptual scope and defining contrast
A recurring motivation is the inadequacy of fixed guardrails. Standard guardian models like LlamaGuard detect predefined, static categories of harms; hard-gated safety checkers often over-refuse and misalign with a vendor’s model spec; and post-execution guardrails leave little room for controllable supervision at the plan level (Hoover et al., 2 Sep 2025, Huang et al., 8 Apr 2026, Huang et al., 10 Oct 2025). In deployment settings, the same limitation appears as post-deployment degradation: a static guardrail trained on historical safe or unsafe prompts can face unseen jailbreaks for which “DSR drops to 12 %” (Yang et al., 21 Sep 2025).
This suggests that “dynamic” is used along several distinct axes rather than as a single architecture. Across the cited works, the dynamic component may be policy-conditioned at inference time, continually updated after OOD detection, advisory rather than hard-gated, mediated through a separate subagent, attached to an unexecuted plan, reconstructed from temporal interaction graphs, or derived from verified state-uncertainty sets.
| Setting | Dynamic mechanism | Reported characteristic |
|---|---|---|
| User-defined policies | Runtime rules scored in parallel | DynaGuard-8B: DynaBench 72.5 F1; CoT 73.1 |
| Novel jailbreaks | OOD detector + continual updater | Precision=95.8 %, Recall=96.4 %, F1=96.1 % |
| Advisory LLM safety | Risk label + concise explanation prepended for re-inference | Below 5% of base-model compute; 2-10% overhead |
| Skill-file mediation | Guardian LLM mediates every file-read call | Dynamic: ASR 12.9%, TSR 82.8% |
| Pre-execution planning | Cross-planner adapter + Safiron | Acc_cls 0.949; Prec_harm 0.973 |
| Multi-agent collaboration | Temporal graph reconstruction and anomaly removal | Anomaly-detection rate –95%; FDR <20% |
| Safety-critical control | Verified state bounds + HJ safety filter | Per-step cost s |
2. Policy-conditioned guardians for free-form rules
DynaGuard formalizes a dynamic guardian as a model that evaluates text against user-defined policies supplied at runtime as a small natural-language document of rules . During training, each policy is broken into its individual rules so that the model learns to judge one rule at a time; at inference, all rules are scored in parallel via batched inputs. With candidate text , the paper defines a violation-scoring function and the binary decision rule
DynaGuard is built by fine-tuning a small open-weight instruction-tuned transformer, “the Qwen3 family in our experiments,” with an additional linear head that emits either <answer>[PASS](https://www.emergentmind.com/topics/pinching-antenna-systems-pass-5a5ea466-270d-48a7-81e8-bf45cd018280)</answer> or <answer>FAIL</answer>, and optionally > ... rationales in a chain-of-thought mode (Hoover et al., 2 Sep 2025).
The architecture exposes a speed-interpretability trade-off. Fast mode requests only the final answer and an optional short explanation, whereas CoT mode prepends <think> and forces generation of a rationale before the final PASS or FAIL. The reported runtime is “≈150 ms per turn” in fast mode and “≈200 ms per turn (plus ≈50 ms for rationale decoding)” in CoT mode, compared with “≈350 ms per turn” for a GPT-4o-mini baseline on similar tasks. Empirically, the model matches or exceeds existing guardians on static benchmarks while improving markedly on out-of-distribution policies: on DynaBench, DynaGuard-8B reaches 72.5 F1 in fast mode and 73.1 in CoT mode, whereas LlamaGuard3 reports 13.1; on the “Static Safety Avg” column, DynaGuard-8B reports 79.6 and DynaGuard-8B (CoT) 81.1 (Hoover et al., 2 Sep 2025).
In this formulation, the dynamic guardian is not merely a broader taxonomy of harms. It is a policy interpreter with a runtime decision rule, threshold calibration, optional rationale generation, and batched evaluation over arbitrary user-supplied rules. A plausible implication is that the central innovation lies in replacing fixed harm ontologies with runtime policy specification while preserving latency close to static moderation.
3. Adaptive and advisory guardians
AdaptiveGuard frames dynamic guarding as post-deployment adaptation. Its threat model distinguishes an in-distribution over “natural” safe or known unsafe prompts from an adversarial over jailbreak prompts crafted to bypass guardrails. The pipeline combines a GPT-2 classifier, a feature extractor from the penultimate layer, Mahalanobis-score OOD detection, and a continual updater implemented through LoRA adapters. The OOD score is
where 0 is the Mahalanobis distance from the feature 1 to class-conditional means with shared covariance, and prompts are flagged when 2 with 3 set as a high quantile of in-distribution scores. On flagged OOD examples, the post-deployment update freezes base weights and updates only 4 toward the label unsafe. Reported results include “Precision=95.8 %, Recall=96.4 %, F1=96.1 %” for OOD detection, “median 5 updates to reach 100 % DSR for AdaptiveGuard+CL,” “AdaptiveGuard+CL median F1=85 %,” and “inference 0.01s, memory 1.3 GB vs LlamaGuard-8B 1.1s & 27.1 GB” (Yang et al., 21 Sep 2025).
Guardian-as-an-Advisor takes a different route. Rather than hard-gating, it introduces a soft-gating pipeline in which a guardian predicts “a binary risk label plus a concise explanation and prepends this advice to the original query for re-inference, keeping the base model operating under its original spec.” To support this workflow, the paper constructs GuardSet, “a 208k+ multi-domain dataset unifying harmful and harmless cases with targeted robustness and honesty slices,” and trains GuardAdvisor via SFT followed by RL “to enforce label-explanation consistency.” The latency study reports that advisor inference uses “below 5% of base-model compute” and adds “only 2-10% end-to-end overhead under realistic harmful-input rates” (Huang et al., 8 Apr 2026).
The two systems exemplify different meanings of dynamicity. AdaptiveGuard is dynamic because it detects novel jailbreak attacks as out-of-distribution inputs and learns to defend against them through a continual learning framework. Guardian-as-an-Advisor is dynamic because it intervenes at inference time through advice-conditioned re-inference rather than binary refusal. This suggests a useful distinction between adaptive guardians, which update parameters post deployment, and advisory guardians, which alter the context seen by the base model without replacing the base model’s policy.
4. Agentic and multi-agent instantiations
In terminal-based agents, the Dynamic Guardian is an intermediary LLM agent that mediates access to skill files. The defense “interposes a small mediator subagent (‘guardian LLM’) between every file-read call and the main agent,” routes requests through an MCP server, reads the raw document from disk, and returns only a sanitized response. “Crucially, the agent never sees the raw file content—only the guardian’s filtered/summarized response.” In the main comparison on Claude-Sonnet-4.5 + Claude-Code, Vanilla reports ASR 36.0% and TSR 80.0%, whereas Dynamic reports ASR 12.9% and TSR 82.8%; on reframed attacks, Vanilla reaches 81.4% ASR and Dynamic reduces it to 18.6%, both with TSR 95.3% (Fujinuma et al., 1 Jun 2026).
A second agentic usage is pre-execution guarding. Safiron is presented as a “foundational guardrail” comprising a cross-planner adapter and a compact guardian model that inspects the full, unexecuted trajectory before any tool call or environment action. AuraGen synthesizes benign trajectories, injects category-labeled risks with controlled difficulty, and filters outputs via a reward model; the adapter normalizes heterogeneous planner outputs; and Safiron returns a harmful/harmless label, a fine-grained risk category, and a rationale. On Pre-Exec Bench, the reported results are: GPT-4o with Acc_cls 0.606, Prec_harm 0.822, Acc_risk 0.319, Acc_exp 0.310; DeepSeek-V3 with 0.652, 0.602, 0.247, 0.227; Safiron (SFT only) with 0.956, 0.939, 0.566, 0.508; and Safiron (SFT+GRPO) with 0.949, 0.973, 0.646, 0.570 (Huang et al., 10 Oct 2025).
A third usage appears in multi-agent collaboration, where “Dynamic GUARDIAN” models dialogue as a discrete-time temporal attributed graph 6 with nodes representing agents at rounds, directed edges encoding communication, and node attributes given by textual embeddings. A two-layer GCN encoder reconstructs node attributes and graph structure; anomaly scores combine node-level attribute-reconstruction and structure-reconstruction errors; and an incremental training paradigm removes anomalous nodes before the next round. Reported findings include “anomaly-detection rate ∼80–95% across scenarios, FDR <20%,” “API calls reduced by ~40% vs. baselines,” and “runtime per question is the lowest among defense methods (e.g. 18.9 s vs 26 s–76 s on MMLU)” (Zhou et al., 25 May 2025).
Taken together, these systems shift the guardian from single-turn moderation to orchestration over tools, plans, documents, and interacting agents. A plausible implication is that the dynamic guardian becomes most valuable when the protected object is no longer an isolated prompt or response, but a structured process with intermediate states.
5. Dynamic safety filtering in control systems
In safety-critical control, GUARDIAN denotes “Guaranteed Uncertainty-Aware Reachability Defense against Adversarial INterference,” a safety filtering framework for systems with NN-based state estimators. The framework couples three components: runtime NN verification that computes guaranteed output bounds under input perturbations, a modified Hamilton–Jacobi reachability analysis for set-valued state estimates, and a switching safety filter that guards a nominal controller. With estimator 7, attacked observation 8, and verified state set 9, the continuation value is
0
and the applied control is
1
If the nominal command cannot be certified safe over the entire estimate set, the filter “kicks in” and replaces it by the HJ-optimal safe action (Rober et al., 5 Feb 2026).
The paper states a “Theorem (GUARDIAN Invariance)” under which, if 2 and the verified set and filter are constructed as specified, then 3 for all 4. Online complexity is divided into NNV bound propagation, hyperrectangle construction, evaluation of 5, and, if needed, a one-dimensional maximization over controls. The reported timing is “6ms per call” for NNV bound propagation, “7ms” for continuation-value evaluation, and total per-step cost “8s” in a runway taxiing example. In experiments, a targeted PGD attack with 9 causes an unfiltered system to depart the runway, whereas GUARDIAN keeps the aircraft safe across “0 Monte Carlo rollouts” (Rober et al., 5 Feb 2026).
Here the dynamic guardian is not a language-model moderator but a runtime safety filter defined over verified uncertainty sets and reachable safe sets. The common pattern with LLM guardrails is structural rather than domain-specific: a nominal policy is preserved whenever safety can be certified and replaced only when certification fails.
6. Broader dynamical and mathematical usages
A distinct, non-LLM usage models the guardian as a genuinely evolving species. In the target-partaker-guardian reaction-advection-diffusion system, 1, 2, and 3 denote target, partaker, and guardian densities, with the guardian equation
4
The paper emphasizes that “5 is not a passive background parameter but a fully time- and space-dependent field that diffuses and taxis up target-gradients 6,” that “its total mass 7 is fixed,” and that the competition between diffusion and advective aggregation underlies both suppression and unintended oscillatory behavior (Yerlanov et al., 18 Oct 2025).
The target-offender-guardian crime literature sharpens this into threshold phenomena. With attractiveness 8, offender density 9, and guardian density 0, the nondimensionalized system includes
1
Spectral analysis identifies a steady-state bifurcation threshold 2 and a Hopf threshold 3. The criminological interpretation given in the paper is that below 4 the system remains spatially uniform, above 5 persistent hotspots appear, and at 6 spatially inhomogeneous time-periodic solutions emerge; the numerical simulations further exhibit stationary patterns, periodic oscillations, and chaotic dynamics (Yerlanov et al., 15 Sep 2025).
A neighboring but distinct mathematical usage is the theory of guardian maps for continuous-time systems. There, a guardian map is a scalar-valued map for Hurwitz stability that is nonzero in the stable region and vanishes on the boundary, and a guardian representation is a Lie-algebra representation 7 such that 8 is a guardian map. This is terminologically adjacent to dynamic guardian work, but it addresses stability certification rather than runtime moderation, adaptation, or mediation (Bar-Shalom et al., 21 Sep 2025).
Across these literatures, Dynamic Guardian denotes a shift from static prohibition to state-dependent intervention. In LLM safety, the state is a prompt, policy, plan, skill file, or temporal interaction graph; in control, it is a verified uncertainty set; in reaction-advection-diffusion models, it is a spatiotemporal guardian field. This suggests that the unifying feature is not a single implementation, but the insistence that guardianship be computed from the current situation rather than fixed in advance.