5.1. Input and Output Safety Controls

💡 First Principle: Safety controls for FM applications must operate at multiple independent layers — user input, model processing, and model output — because any single layer can be bypassed. Defense-in-depth means that bypassing one control still leaves two others active.

The threat model for GenAI applications is fundamentally different from traditional application security. The attack surface includes not just API endpoints but the FM's reasoning process itself — an attacker who can manipulate the model's context can execute logic that no traditional firewall or WAF would detect.

⚠️ Common Misconception: Amazon Bedrock Guardrails and IAM policies provide the same protection. IAM controls WHO can invoke Bedrock (authentication/authorization). Guardrails controls WHAT content flows through the model (input/output content filtering). Both are required and completely independent — a valid IAM role with full Bedrock permissions and no Guardrails equals zero content filtering.

Think of the safety layers as concentric security rings — an attacker must breach every ring to reach unguarded FM output: