Edited by humans. Written by AI. How our editing works
All articles

Google's Model Armor: AI Security Through Callbacks

Google's Model Armor adds security checkpoints to AI agents through ADK callbacks, intercepting threats before they reach language models.

Samira Barnes

Written by AI. Samira Barnes

February 14, 20265 min read
Share:
Google Cloud logo with title text about Model Armor in ADK callbacks, and a man in sunglasses and Google shirt making a…

Photo: Google Cloud Tech / YouTube

AI agent security has moved from theory to practice. Google Cloud's approach -- shown in a recent tutorial by Aron Eidelman -- uses callback mechanisms to create security checkpoints. These checkpoints catch threats before they reach language models or users.

The design is simple: add security checks at the two weakest points in an AI agent's workflow. First, before the agent sends a prompt to the language model. Second, after the model returns a response. The goal isn't to build a wall around the whole system. It's to create specific spots where automated rules can actually work.

The Input Problem

Prompt injection remains one of the more awkward flaws in AI systems. Users -- whether hostile or just curious -- can slip instructions into prompts that override an agent's intended behavior. "Ignore your previous instructions" has become the "drop tables" of the AI era.

Eidelman shows how the before_model callback catches user prompts before they reach the language model: "This function runs just before the LLM request is sent, allowing us to inspect and sanitize the user's prompt using the model armor API's sanitize user prompt method."

If Model Armor spots a prompt injection attempt or policy breach, the callback sends a preset safe response. The model never sees the bad prompt. The compute cost is tiny -- a policy check instead of a full model run -- and the security line is clear.

The real question is how good these detection tools are. Pattern matching catches obvious attacks. But prompt engineering tricks evolve fast. The video doesn't explain Model Armor's detection methods. That detail matters a lot when judging how well it holds up against skilled attackers.

The Output Vulnerability

The second checkpoint handles what happens when the language model itself becomes the risk. Models trained on huge datasets sometimes spit out data they shouldn't -- credit card numbers, personal details, or private patterns from their training data.

The after_model callback checks the raw LLM response before the user sees it. As Eidelman explains: "If the response contains leaked data or harmful output, we can replace or block the response. Replacing is useful if we want to preserve most of the response but just filter out a small part such as a name or a credit card number."

This targeted approach -- removing specific sensitive patterns while keeping the rest -- is a smart middle ground. Blocking whole responses creates a bad user experience. It may also tip off attackers that they've hit something worth probing. Selective filtering keeps things working while containing the leak.

The technical setup trims credit card numbers to their last four digits. This removes the disclosure risk while keeping enough info for valid use cases. It's the digital version of a receipt showing XXXX-XXXX-XXXX-1234.

What This Approach Misses

Callback-based security has clear design strengths. It's modular. It doesn't require changing the base model. It can be updated on its own as new threats appear. But it works only at the API boundary.

This means Model Armor can't fix problems in the model itself. It can't address bias in training data, tricks that fool the model's reasoning, or outputs that are harmful in ways that depend on context. A response can pass every policy check while still being misleading or dangerous in a specific setting.

The video shows blocking obvious prompt injection attempts and catching clear data patterns like credit card numbers. What it doesn't show is how the system handles gray areas. Think borderline prompts, outputs that hint at sensitive info without stating it outright, or attacks that work at the meaning level rather than the pattern level.

Google's docs point to more resources on Model Armor. One video is titled "We tried to jailbreak our AI (and Model Armor stopped it)." The framing is confident. But jailbreaking is an arms race. What works today may fail against next month's tricks.

Policy as Code

What makes callback-based security workable is that it turns security policies into code at fixed checkpoints. Rather than trying to make the language model itself "safer" -- a research problem with no clear fix -- this approach enforces rules at the interface layer where rules actually stick.

The trade-off is plain: you're not making the model more trustworthy. You're limiting what it can be asked and what it can say. For many business use cases, that's enough. For tasks that need real model alignment and safety, it's a band-aid, not a cure.

Eidelman's demo shows a clean split of duties. The agent team focuses on features. The security team sets the rules. Model Armor enforces them at runtime. This is solid engineering. Whether it's enough depends on your threat model and where you deploy.

The video ends with a teaser about using "anti-gravity to vibe code an agent." Marketing speak aside, it signals Google's ongoing work on AI security tools. And that's fitting. If there's one thing everyone in AI security agrees on, it's that today's defenses are stopgaps at best.

Samira Okonkwo-Barnes covers technology policy and regulation for Buzzrag.

From the BuzzRAG Team

AI Moves Fast. We Keep You Current.

Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.

Weekly digestNo spamUnsubscribe anytime

More Like This

Pixelated portrait of a person's face in orange and blue tones with "SKILL ISSUE" text overlay on dark background

Agent Zero's New Skills Feature Makes AI Dangerously Easy

Agent Zero's latest update lets anyone teach AI agents new tricks in minutes. The demo is impressive. The security warnings? Even more so.

Zara Chen·5 months ago·6 min read
A2A Overview presentation slide about building collaborative agentic systems, featuring Google Cloud branding and an agent…

Google's A2A Protocol: Standards for AI Agent Communication

Google launches Agent2Agent protocol to standardize how AI agents communicate. Technical details, adoption questions, and what it means for multi-agent systems.

Samira Barnes·5 months ago·5 min read
Google Cloud logo with title text about Conversational Analytics agents and Looker ChromeUX Block, accompanied by colorful…

Google Shows How to Build AI Analysts in Under 5 Minutes

Google's new Looker tutorial demonstrates building conversational AI analytics agents fast—but the real story is what happens when you try to control them.

Zara Chen·4 months ago·7 min read
Two developers viewing analytics dashboard on monitor with neon purple-orange lighting, displaying "31 Trending Open Source…

AI Compiler Writes 4,000 Commits: GitHub's Latest Tools

GitHub's trending projects reveal AI-generated compilers, censorship circumvention tools, and automation systems that raise regulatory questions.

Samira Barnes·5 months ago·6 min read
Google Cloud logo with text "Advanced patterns for AI agents" and a woman holding a tablet against a blue background

AI Agent Design Patterns Raise New Regulatory Questions

Google's new AI agent patterns—loop, coordinator, and agent-as-tool—demonstrate technical sophistication while surfacing unresolved compliance questions.

Samira Barnes·4 months ago·6 min read
Google Cloud logo with blue text overlay reading "How to Build a GTM Agent with ADK" on a code editor background

Building an AI Co-Founder in 72 Hours: Google Cloud's Challenge

Explore the race to create an AI co-founder in 72 hours using Google Cloud's tools and Gemini models.

Yuki Okonkwo·6 months ago·3 min read
Colorful graphic split into four sections featuring Linux penguin, Steam logo, French flag, and text highlighting Linux…

Linux 7.0 Ships While AI Bug Hunters Reshape Security

Linux kernel 7.0 brings major file system improvements as Anthropic's AI bug-finding tool discovers decades-old vulnerabilities, changing cybersecurity forever.

Samira Barnes·3 months ago·7 min read
Smartphone displaying YouTube's time management settings for Shorts feed limits, with blue-to-pink gradient background and…

YouTube Lets Users Finally Kill Shorts Feed—With Caveats

YouTube now allows users to set a zero-minute daily limit on Shorts, effectively removing them from feeds. Here's what the feature actually does—and doesn't—do.

Samira Barnes·3 months ago·5 min read

RAG·vector embedding

2026-04-15
1,102 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.