Anthropic’s Claude isn’t safe by accident. As Simon Willison notes in his overview of “how we contain Claude,” safety comes from layered containment you can reuse in your own stack.
Source: How we contain Claude by Simon Willison.
Why “containment” matters
Containment limits what an AI can see, do, and say. It reduces blast radius when models hallucinate, get prompt-injected, or call tools unsafely.
9 reusable guardrails you can apply now
- Constitution + system prompt: Encode non-negotiables (privacy, safety, scope) in a system message and policy docs. Keep it short, testable, and versioned. See Anthropic’s Model Spec for Safety.
- Capability-scoped tools: Expose only the functions the task needs. Require explicit arguments, validate inputs, and allowlist endpoints per task.
- Data-access boundaries: Use retrieval with allow/deny lists and tenancy filters. Never pass raw secrets; hand the model only the minimum context.
- Output sandboxes: Run generated code, SQL, or shell commands in a jailed runtime with quotas and no network by default.
- Prompt-injection defenses: Treat all external text as untrusted. Segment instructions from content, strip/escape markup, and verify provenance. Start with the OWASP LLM Top 10.
- Human-in-the-loop permissions: Gate high-impact actions (spend, write, delete) behind user confirmation or reviewer approval flows.
- Budgets and circuit breakers: Enforce rate limits, token caps, and per-task spend ceilings. Kill long-running or looping tool chains.
- Safety filters + second model: Add pre/post filters and use a lightweight safety model to screen risky inputs/outputs before release.
- Telemetry, audits, and evals: Log prompts, tool calls, and decisions. Run red-team suites and regression evals before each release.
Quick start checklist
- Write a one-page system policy, publish it in code, and reference it in every prompt.
- Wrap tools behind a broker that enforces allowlists and schema validation.
- Introduce a read-only RAG layer with tenancy filters before giving raw docs to the model.
- Sandbox executable outputs; default to no network, low CPU/memory, and timeouts.
- Add injection guards: content segmentation, escaping, and signed/provenance-checked data only.
- Require human confirmation for irreversible or spend-related actions.
- Set token/spend budgets and implement a global circuit breaker.
- Log everything; add safety and quality evals to CI before deploys.
Sources and further reading
• Simon Willison: How we contain Claude
• Anthropic: Model Spec for Safety
• OWASP: LLM Top 10
Takeaway
Safety scales when you contain capabilities, not just words. Layer prompts, permissions, and policy with hard technical controls and continuous evals.
Get smarter weekly
Enjoy nuggets like this? Subscribe to our free newsletter for bite-size AI insights, tools, and playbooks: theainuggets.com/newsletter.
