Skip to main content

Ant Group open-sources two security models to rein in AI agents

As AI systems evolve from generating text to taking actions on their own, a new breed of security threats has emerged. On July 13, Ant Group's AI Security Lab open-sourced two models aimed at keeping these autonomous agents and multimodal models in check: SingGuard-NSFA and SingGuard.

Why the sudden focus on agent security?

Remember when AI just answered questions? Now, intelligent agents can call tools, run code, and plan multi-step tasks. That's great for productivity, but it also opens the door to prompt injection, permission misuse, malicious code execution, and data leaks. Recent incidents like Amazon Q's prompt poisoning, Microsoft Copilot's data leak, and the OpenClaw agent's injection risks show that the more autonomy an agent has, the bigger the blast radius of a security flaw.

In December 2025, OWASP released its "Top 10 Risks for Intelligent Agent Application Security," and in May 2026, China's cyberspace and industry regulators jointly issued guidelines on agent security governance. The message is clear: the industry needs better guardrails.

SingGuard-NSFA: A real-time brake for agent actions

Traditional content filters can't catch behavioral risks. SingGuard-NSFA steps in before an agent executes an action, checking both the request and the response in real time. It categorizes risks into 7 major types, 28 subcategories, and 185 specific scenarios, backed by a dataset of nearly 100,000 samples across 133 languages.

What's impressive is its speed: a single risk check takes about 50 milliseconds, making it suitable for high-traffic online services. It comes in four sizes (0.8B, 2B, 4B, and 9B parameters) to fit different deployment needs. And if new risk categories emerge, you only need to train a lightweight module, not the whole model.

Image

SingGuard: A versatile gatekeeper for multimodal content

Text-only guardrails are no longer enough. In June, Anthropic's Claude Fable5 was tricked by replacing sensitive words with Unicode characters and Cyrillic letters—the model understood the meaning, but the classifier didn't flag it. SingGuard handles text, images, and cross-modal content under one unified framework. It uses a "fast and slow" reasoning approach: quick initial checks, then deeper analysis only when needed. It also supports dynamic rule updates without retraining.

Image

In benchmarks across 35 datasets, SingGuard outperformed Llama Guard3, Google ShieldGemma, GPT-5.1, and Gemini3-Pro on average F1 scores.

A broader push for AI safety

These models build on Ant Group's two decades of experience in payment security, data protection, and risk governance. They're already in use in products like Ant Afu and Alipay's AI assistant. Ant is also contributing to international standards, including an ITU standard for trusted interconnection of terminal agents.

As Huna Ying from the China Academy of Information and Communications Technology put it: "As large models move from content generation to autonomous execution, AI security is extending from content review to behavioral control and system governance." The open-sourcing of these models is a practical step toward making that vision a reality.

Key Points

  • Ant Group open-sources two security models: SingGuard-NSFA for agent behavior safety and SingGuard for multimodal content safety.
  • SingGuard-NSFA performs real-time risk checks in ~50ms, covering 185 risk scenarios across 133 languages.
  • SingGuard handles text, image, and cross-modal threats, outperforming major competitors in benchmarks.
  • The move responds to rising security incidents and new regulatory guidelines on agent security.