# InvokeGuardrailChecks vs Classic Guardrails: Which to Use in AI Agents? AWS released the InvokeGuardrailChecks API in Amazon Bedrock Guardrails — a resourceless API that lets you apply individual safeguards at any point in an agentic loop without creating or versioning guardrail resources. In this article, I run a direct head-to-head between this approach and classic resource-based Guardrails, evaluating latency, governance, cost, and fitness for financial-grade mission-critical systems. - URL: https://fernando.moretes.com/blog/invokeguardrailchecks-vs-guardrails-classicos-qual-usar-em-agentes-ai-amazon-bedro - Markdown: https://fernando.moretes.com/blog/invokeguardrailchecks-vs-guardrails-classicos-qual-usar-em-agentes-ai-amazon-bedro/article.md?lang=en - Published: 2026-06-22T12:00:00.000Z - Category: AI & Agents - Tags: bedrock, guardrails, agentic-ai, security, financial-grade, aws, ai-governance, devSecOps - Reading time: 8 min - Source: [Amazon Bedrock Guardrails announces a new API targeting agentic AI workflows](https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-guardrails-api-ai/) --- When AWS announced the InvokeGuardrailChecks API in June 2026, a lot of people's first reaction was: 'just another way to do the same thing'. I disagree. This API represents a paradigm shift in how safety governance is applied in agentic systems — and for those designing AI platforms in regulated environments, the difference between the two approaches is not cosmetic. It is the difference between a perimeter firewall and a Zero Trust model applied to every hop of an autonomous workflow. ## The Real Problem: Agentic Loops Are Not Single Requests Before comparing the two approaches, I need to establish the context that makes this choice non-trivial. A modern AI agent — whether a financial reconciliation agent, a compliance assistant, or an onboarding orchestrator — does not execute a single inference. It executes a loop: plans, calls tools, processes outputs, re-plans. A single user request can generate 20 to 60 internal calls before producing a final response. Each step in that loop has a different risk profile. The planning step is exposed to prompt injection via user input. The tool-calling step can leak PII in parameters. The response synthesis step can generate harmful content by combining outputs from multiple tools. Applying a single monolithic guardrail at the start and end of the loop — the classic pattern — is equivalent to running a security check only at the entrance and exit of an airport, ignoring everything that happens in between. Classic Bedrock Guardrails were designed for the request-response pattern: you create a resource, version it, associate it with a model or agent, and policies apply uniformly. This works well for simple chatbots. For financial-grade agentic loops, where each step may have a different set of authorized tools and a different risk level, that model begins to show its structural limitations. ## Classic Guardrails: Strength and Friction of Managed Resources Resource-based Bedrock Guardrails have a solid governance model. You create a resource with `CreateGuardrail`, define content policies, PII filters, denied topics, and grounding protections, obtain a `guardrailId` and `guardrailVersion`, and then associate that resource with model invocations via `ApplyGuardrail` or directly in `InvokeModel` and `InvokeAgent` calls. The lifecycle is auditable: immutable versions, traceable ARNs, integration with CloudTrail and AWS Config for drift detection. For compliance teams in financial institutions, this has real value. An auditor can ask 'which guardrail version was active during transaction X?' and you have a precise answer. The resource is a governance artifact, not just runtime configuration. You can apply SCPs and IAM conditions to restrict who can create or modify guardrails — for example, `bedrock:CreateGuardrail` restricted to a CI/CD pipeline with mandatory MFA. The friction appears when you need differentiated behavior per step. If your agent has 8 distinct steps and each requires a different set of filters, you end up managing 8 guardrail resources, 8 versions, 8 ARNs — and the logic of which guardrail to apply at which step lives in your orchestration code anyway. The separation of concerns promised by the resource model dissolves into operational complexity. ## Two Safety Models for Agentic Loops Flow comparison between classic Guardrails (versioned resource, uniform application) and InvokeGuardrailChecks (resourceless, per-step granular control in the agentic loop) ### 👤 User / Client - User Request financial query (user) ### 🔵 Classic Guardrails Path - Guardrail Resource guardrailId + version (security) - Bedrock Agent InvokeAgent (ai) - ApplyGuardrail INPUT — uniform policy (security) - Agent Loop plan→tool→synthesize (compute) - ApplyGuardrail OUTPUT — same policy (security) ### 🟠 InvokeGuardrailChecks Path - Step 1: Plan PromptAttack check only (compute) - InvokeGuardrailChecks jailbreak + injection (security) - Step 2: Tool Call PII filter + content (compute) - InvokeGuardrailChecks PII + misconduct score (security) - Step 3: Synthesize content filter + leakage (compute) - InvokeGuardrailChecks hate+violence+leakage (security) - Custom Threshold block|retry|log|pass (security) ### 📊 Observability - CloudWatch severity scores + traces (data) - CloudTrail API audit log (security) ### Flows - user -> cg_check_in: classic path - cg_resource -> cg_check_in: associated version - cg_check_in -> cg_agent: input approved - cg_agent -> cg_loop: executes loop - cg_loop -> cg_check_out: final output - user -> igc_step1: granular path - igc_step1 -> igc_check1: check attack - igc_check1 -> igc_step2: score < threshold - igc_step2 -> igc_check2: check PII - igc_check2 -> igc_step3: PII masked - igc_step3 -> igc_check3: check content - igc_check3 -> igc_decision: severity + confidence - igc_decision -> cw: metrics and scores - cg_check_in -> ct: audit log - igc_check1 -> ct: audit log ## InvokeGuardrailChecks: What Actually Changes InvokeGuardrailChecks operates in detect-only mode without creating persistent resources. You specify which safeguards to run directly in the request body — no `guardrailId`, no `guardrailVersion`. The API returns numeric severity and confidence scores for each checked category, and the action logic (block, pass, retry, log) lives entirely in your code. This has concrete system design implications. First, you can implement adaptive thresholds: at the planning step, a prompt injection score above 0.7 blocks; at the synthesis step, the same score above 0.5 already triggers a retry with a more restrictive system instruction. Second, you can compose checks dynamically based on session context — a high-risk user profile receives more aggressive checks without needing a separate guardrail resource. Third, the API is stateless from an AWS resource perspective, which simplifies the permissions model: there is no guardrail ARN to manage in cross-account IAM policies. Prompt attack detection is exposed as an independent safeguard, and each attack vector — jailbreak, prompt injection, prompt leakage — can be invoked separately. For a financial system processing transfer instructions via agent, this means I can apply prompt injection checking only at steps that receive unsanitized user input, without paying the cost of content checking at purely internal steps. In latency terms, each InvokeGuardrailChecks call typically adds 50-150ms depending on the safeguard combination — a cost that needs to be budgeted into the agentic loop's SLO. ## Classic Guardrails vs InvokeGuardrailChecks: Direct Comparison | Criterion | Dimension | Classic Guardrails (resource) | InvokeGuardrailChecks (API) | | --- | --- | --- | --- | | Resource model | Persistent resource with ID + immutable version | No resource; inline config per request | — | | Control granularity | Uniform policy applied at agent input/output | Specific safeguard per loop step, per request | — | | Auditability | ARN + version traceable in CloudTrail; Config rules possible | API calls in CloudTrail; no policy version artifact | — | | Output scores | Binary action (BLOCKED/NONE) with category metadata | Numeric severity + confidence score per category | — | | Action logic | Defined in resource (block/mask); applied by Bedrock | Fully in caller code: block, retry, log, pass | — | | Operational overhead | Version management; deploy pipeline for policy changes | Zero resources to manage; policy changes are code | — | | Estimated additional latency | ~80-200ms per model invocation (coupled check) | ~50-150ms per explicit call (you control when to call) | — | | PII support | PII entity types configured in resource; automatic masking | PII entity types specified per request; detection + score | — | | Cost model | Per text processed by guardrail (text units) | Per API call + text processed; cost proportional to checked steps | — | | Fitness for regulatory compliance | High: versioned, auditable policy artifact | Medium-high: requires code discipline for audit equivalence | — | ## The Financial Case: Where Each Approach Wins and Loses In regulated financial systems — think a credit analysis agent or a treasury operations assistant — audit requirements are non-negotiable. A central bank or securities regulator auditor does not accept 'the policy was in the code' as an answer to 'what content filtering policy was active on March 14 at 14:32?'. Classic Guardrails win here with clarity: you have an immutable `guardrailVersion`, traceable via CloudTrail, and you can reconstruct the exact policy state for any point in time. However, when the same system needs to process an onboarding flow involving document collection, identity verification, risk analysis, and contract generation — four steps with radically different risk profiles — the rigidity of the classic model becomes a design problem. You do not want to apply violent content checking in the credit risk analysis step, but you need aggressive PII detection in the document collection step. With classic Guardrails, you manage multiple resources or accept over-checking with unnecessary cost and latency. InvokeGuardrailChecks solves this elegantly, but transfers governance responsibility to code. In a financial context, this means the 'security policy' is now application code — subject to code review, unit tests, and potentially silent drift if a developer adjusts a threshold without a formal process. The mitigation I implement in these contexts is to treat safeguard configuration as externalized configuration in Parameter Store or AppConfig with mandatory versioning and approval — recreating the auditability of the resource model, but with the flexibility of the API model. ## Decision Matrix: Which Approach for Which Context ### Classic Guardrails (versioned resource) **Pros** - Auditable, immutable policy artifact — ideal for regulatory compliance - Native integration with InvokeAgent and InvokeModel without additional code - Access control via IAM conditions on resource ARN; SCPs applicable - Automatic PII masking without logic in caller code **Cons** - Uniform policy does not scale for agentic loops with heterogeneous steps - Operational overhead of versioning and deploying policy changes - Inevitable over-checking if a single resource covers multiple risk profiles - No numeric scores — binary action limits adaptive retry logic **Verdict:** Use when policy auditability is a hard regulatory requirement and the workflow is relatively uniform in risk profile. ### InvokeGuardrailChecks (resourceless API) **Pros** - Per-step granular control: different safeguards for different loop steps - Numeric severity and confidence scores enable adaptive thresholds - Zero resource management overhead; policy changes are code deploys - Dynamic composition of checks based on session or user context **Cons** - Policy governance transferred to code — risk of silent drift - No native policy version artifact; auditability requires additional discipline - Action logic (block/retry/log) must be implemented and tested by the team - Cost proportional to number of checked steps — requires careful budgeting **Verdict:** Use when the agentic loop has steps with heterogeneous risk profiles and you need fine-grained control over thresholds and actions per step. ### Hybrid Approach (resource + API) **Pros** - Classic guardrail at the perimeter (agent input/output) for regulatory auditability - InvokeGuardrailChecks at high-risk internal steps for granular control - Best of both worlds: auditable artifact + per-step flexibility **Cons** - Higher implementation and testing complexity - Combined cost of resources + API calls per step - Two mental models for the team to maintain and operate **Verdict:** Recommended for mission-critical financial systems: auditable perimeter with internal granularity. > **Numeric Scores Change the Game for High-Availability Systems:** The most underestimated difference between the two approaches is the numeric score output from InvokeGuardrailChecks. In a financial system with a 99.9% availability SLO, a binary block action at an internal agent step can mean request failure for the end user. With numeric scores, you can implement an intelligent retry pattern: a prompt injection score between 0.5 and 0.7 triggers a retry with a more restrictive system prompt before escalating to a block; above 0.7, it blocks immediately. This reduces false positives that degrade user experience without compromising security posture. This graceful degradation capability is what separates a production security system from a prototype. ## Anti-Patterns I Have Seen in Production - Applying InvokeGuardrailChecks at EVERY loop step without risk profile analysis — the accumulated cost and latency invalidate the agent's SLO. - Using a single classic Guardrail to cover a 10+ step agentic loop with heterogeneous risk profiles — results in over-blocking at internal steps or under-protection at high-risk steps. - Treating InvokeGuardrailChecks thresholds as hardcoded constants in code — without externalization and versioning, you lose policy change traceability. - Ignoring confidence scores and using only severity — a high severity score with low confidence has very different semantics from high severity with high confidence. - Not instrumenting InvokeGuardrailChecks calls with OpenTelemetry spans — without distributed traces per step, you cannot correlate security blocks with SLO degradation. ## Observability and Governance: Closing the Hybrid Approach Gap The biggest concern I hear from CISOs and compliance architects when I present InvokeGuardrailChecks is: 'how do I prove to an auditor that the policy was correct at a specific moment?' The answer is not in the API itself, but in the architecture around it. First, I externalize safeguard configuration in AWS AppConfig with structured feature flags. Each combination of safeguards per loop step is a versioned configuration document, with mandatory approval via CI/CD pipeline and a record of who approved and when. AppConfig has native CloudTrail integration, so every configuration change is auditable with the same rigor as a `guardrailVersion`. Second, I instrument each InvokeGuardrailChecks call with an OpenTelemetry span that includes: the SHA-256 hash of the safeguard configuration used, the returned scores, the action taken, and the loop step ID. These spans are correlated with the distributed trace of the complete request and exported to Datadog or CloudWatch with 90-day retention for audit purposes. In a security incident, I can reconstruct exactly which checks were applied, with which parameters, and which score was returned — functional equivalent of the `guardrailVersion` in the classic model. Third, I define CloudWatch alerts on custom metrics derived from scores: `p99(severityScore) > 0.6` per loop step, with alarms that escalate to an SNS topic monitored by the security team. This closes the detection loop without relying on manual log review. ## Well-Architected Framework Lenses - **security**: InvokeGuardrailChecks enables Zero Trust per agentic loop step — each hop is verified independently. For financial compliance, combine with versioned AppConfig to maintain policy auditability without sacrificing granularity. Apply IAM conditions with `bedrock:guardrailContentFilterStrength` to restrict which safeguards can be invoked per role. - **reliability**: Numeric scores enable intelligent retry before definitive blocking — reduces false positives that degrade availability. Implement a circuit breaker on the InvokeGuardrailChecks call: if the API returns a 5xx error, define explicit fallback behavior (fail-open with log or fail-closed) based on the step's risk level. > **My Perspective After Designing Agentic Systems in Regulated Environments:** In practice, I adopt the hybrid approach for any mission-critical financial system: classic Guardrail at the agent perimeter to satisfy the auditor, InvokeGuardrailChecks at high-risk internal steps for granular control. The hardest lesson I have learned is that security governance in agentic systems is not an API problem — it is a process problem: without externalization and versioning of safeguard configuration, you trade an auditable artifact for silent policy drift. The second point I emphasize to every team I advise: instrument the numeric scores as business metrics, not just security logs — the correlation between prompt injection score and session abandonment rate reveals attack patterns that no SIEM will show you on its own. ## Final Recommendation: It Is Not a Binary Choice InvokeGuardrailChecks does not replace classic Guardrails — it solves a different problem. For simple agentic systems with a uniform risk profile and regulatory audit requirements, classic Guardrails remain the right choice: lower complexity, native auditable artifact, integration without additional code. For complex agentic loops with heterogeneous steps — which is the majority of real financial use cases — InvokeGuardrailChecks is superior in granularity and flexibility, but requires architectural discipline to compensate for the absence of a native policy artifact. My concrete recommendation: adopt the hybrid approach for mission-critical financial systems. Use a classic Guardrail at the agent perimeter (user input and final output) for regulatory auditability. Use InvokeGuardrailChecks at high-risk internal steps — tool calls that process sensitive data, synthesis steps that combine multiple sources. Externalize safeguard configuration in AppConfig with mandatory approval. Instrument scores as business metrics with OpenTelemetry. And treat thresholds as reviewed code — not as forgotten constants in a configuration file. ## References - [Amazon Bedrock Guardrails — InvokeGuardrailChecks API (What's New)](https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-guardrails-api-ai/) - [Amazon Bedrock Guardrails Technical Documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) - [Amazon Bedrock AgentCore Harness — Generally Available](https://aws.amazon.com/blogs/machine-learning/amazon-bedrock-agentcore-harness-is-now-generally-available-go-from-idea-to-production-grade-agent-in-minutes/) - [Amazon Bedrock AgentCore — New Optimization Capabilities](https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-agentcore-new-optimization-capabilities) - [AWS AppConfig — Feature Flags and Configuration Versioning](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) - [AWS Well-Architected Framework — Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) - [OpenTelemetry — Distributed Tracing for AI Workloads](https://opentelemetry.io/docs/)