← All posts

Three tiers, routed by risk: inside the Guardian pipeline

Yaima ValdiviaFounder · · 2 min read

There's a tension at the heart of authorizing agents. Check everything deeply and you add latency to actions that didn't need it. Check everything shallowly and you wave through the actions that should have been stopped. The way out isn't picking one depth — it's routing each action to the depth it deserves.

The Guardian pipeline does this with three tiers. Every supported action enters at the cheapest one and only escalates when the risk justifies it.

Tier 1 — Fast Guard

Fast Guard is a rule-based prefilter. It checks the things you can decide without thinking hard: does the agent hold the capability, is the target on a blocklist, is the action within the agent's scope. These are cheap, deterministic checks, and they resolve the overwhelming majority of traffic — reads and routine calls — with low latency. Most actions never need to go further.

Tier 2 — Spot Guard

When an action mutates state, a rule check isn't always enough. Spot Guard is the policy engine: it does risk scoring, looks at cumulative behavior, weighs signals like credential age and recent action history. It's evaluating not just "is this allowed in isolation" but "does this fit the pattern of a well-behaved agent, or is this the third escalating request in a row." Mutating actions and above get this treatment.

Tier 3 — Deep Guard

Some actions are consequential enough to warrant actual reasoning — destructive operations, admin actions. Deep Guard brings AI reasoning (via Claude) to bear: context-aware evaluation that produces a decision with a confidence score, reserved for the small slice of traffic where the cost of being wrong is highest. You don't want this on every read. You very much want it before an agent deletes something.

Routed, not stacked

The point is that these are tiers, not a gauntlet every request runs end to end. A read clears Fast Guard and returns. A mutation gets Spot's scrutiny. A destructive action escalates to Deep. The expensive reasoning is spent only where it changes the outcome, so the common path stays fast and the dangerous path stays careful.

Failing closed where it counts

Depth is only half of trust; the other half is what happens when the machinery itself is degraded. In production, Guardian's JWT verification fails closed when key material is missing — a misconfigured or absent signing key doesn't quietly wave actions through, it stops them. Safety that depends on everything being configured perfectly isn't safety. The default, when in doubt, is to deny.

Routing by risk is how you get both: speed on the actions that are fine, and real scrutiny on the ones that aren't — without paying for the second on every call.