SanitizeModelResponse policy

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

The SanitizeModelResponse policy protects AI clients from harmful or offensive content by sanitizing responses from generative AI models. The policy uses Model Armor to evaluate model responses for harmful or offensive content, enabling native protection for AI clients and workloads using Apigee. Model Armor is a Google Cloud service offering AI security and safety measures to mitigate the risks associated with large language models (LLMs).

This policy is used in conjunction with the SanitizeModelResponse policy.

This policy is an Extensible policy and use of this policy might have cost or utilization implications, depending on your Apigee license. For information on policy types and usage implications, see Policy types.

Before you begin

Before you use the SanitizeModelResponse policy, you must complete the following tasks:

  • Create a Model Armor template. This step must be completed before you create a SanitizeModelResponse policy.
  • Set the API endpoint for the Model Armor service.

Required roles

To get the permissions that you need to apply and use the SanitizeModelResponse policy, ask your administrator to grant you the following IAM roles on the service account you use to deploy Apigee proxies:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable APIs

Enable the Model Armor APIs.

Enable the APIs

<SanitizeModelResponse> element

Defines a SanitizeModelResponse policy.

Default Value See Default Policy tab, below
Required? Required
Type Complex object
Parent Element N/A
Child Elements <DisplayName>
<IgnoreUnresolvedVariables>
<TemplateName>
<UserPromptSource>
<LLMResponseSource>

The <SanitizeModelResponse> element uses the following syntax:

Syntax

<SanitizeModelResponse async="false" continueOnError="false" enabled="true" name="sanitize-response">
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <DisplayName>sanitize-response-sample</DisplayName>
  <ModelArmor>
    <TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
  </ModelArmor>
  <UserPromptSource>{jsonPath('$.contents[-1].parts[-1].text',request.content,true)}</UserPromptSource>
  <LLMResponseSource>{jsonPath($.candidates[-1].content.parts,response.content,true)}</LLMResponseSource>
</SanitizeModelResponse>

Default Policy

The following example shows the default settings when you add a SanitizeModelResponse policy to your request flow in the Apigee UI:

<SanitizeModelResponse async="false" continueOnError="false" enabled="true" name="sanitize-response">
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
  <DisplayName>sanitize-response-sample</DisplayName>
  <ModelArmor>
    <TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
  </ModelArmor>
  <UserPromptSource>{jsonPath('$.contents[-1].parts[-1].text',request.content,true)}</UserPromptSource>
  <LLMResponseSource>{jsonPath($.candidates[-1].content.parts,response.content,true)}</LLMResponseSource>
</SanitizeModelResponse>

When you insert a new SanitizeModelResponse policy using the Apigee UI, the template contains stubs for all possible operations. See below for information on required elements.

This element has the following attributes that are common to all policies:

Attribute Default Required? Description
name N/A Required

The internal name of the policy. The value of the name attribute can contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot exceed 255 characters.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.
continueOnError false Optional Set to false to return an error when a policy fails. This is expected behavior for most policies. Set to true to have flow execution continue even after a policy fails. See also:
enabled true Optional Set to true to enforce the policy. Set to false to turn off the policy. The policy will not be enforced even if it remains attached to a flow.
async   false Deprecated This attribute is deprecated.

The following table provides a high level description of the child elements of <SanitizeModelResponse>:

Child Element Required? Description
<DisplayName> Optional The name of the policy.
<IgnoreUnresolvedVariables> Optional Specifies whether processing stops if the variable used for the template name or Model Armor payload is unresolved.
<TemplateName> Required The Model Armor template used to sanitize the LLM response.

This value can be templated using the following Apigee flow variables: 

projects/{organization.name}/locations/{system.region.name}/templates/{id}

<UserPromptSource> Required The location of the payload for the user prompt text to be extracted. Only string text values are supported.

This field supports Apigee message template syntax, including the use of variables or JSON Path functions.

For example: 

{jsonpath('$.contents[-1].parts[-1].text',request.content,false)}
<LLMResponseSource> Required The location of the payload for the LLM response text to be extracted. Only string text values are supported.

This field supports Apigee message template syntax, including the use of variables or JSON Path functions.

For example: 

{jsonpath('$.input.prompt.text',request.content,false)}

Child element reference

This section describes the child elements of <SanitizeModelResponse>.

<DisplayName>

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, more natural-sounding name.

The <DisplayName> element is common to all policies.

Default Value N/A
Required? Optional. If you omit <DisplayName>, the value of the policy's name attribute is used.
Type String
Parent Element <PolicyElement>
Child Elements None

The <DisplayName> element uses the following syntax:

Syntax

<PolicyElement>
  <DisplayName>POLICY_DISPLAY_NAME</DisplayName>
  ...
</PolicyElement>

Example

<PolicyElement>
  <DisplayName>My Validation Policy</DisplayName>
</PolicyElement>

The <DisplayName> element has no attributes or child elements.

<IgnoreUnresolvedVariables>

Determines whether processing stops when a variable is unresolved. Set to true to ignore unresolved variables and continue processing.

Default Value False
Required? Optional
Type Boolean
Parent Element <SanitizeModelResponse>
Child Elements None

<TemplateName>

The Model Armor template.

Default Value N/A
Required? Required
Type String
Parent Element <SanitizeModelResponse>
Child Elements None

The <TemplateName> element uses the following syntax:

Syntax

<ModelArmor>
  <TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
</ModelArmor>

Example

This example uses Apigee flow variables to populate the required information.

<ModelArmor>
  <TemplateName>projects/{organization.name}/locations/{system.region.name}/templates/{id}</TemplateName>
</ModelArmor>

<UserPromptSource>

The location of the payload for the user prompt text to be extracted. Only string text values are supported.

This field supports Apigee message template syntax, including the use of variables or JSON Path functions. For example: 

{jsonpath('$.input.prompt.text',request.content,false)}
Default Value {jsonPath($.contents[-1].parts[-1].text,request.content,true)}
Required? Required
Type String
Parent Element <SanitizeModelResponse>
Child Elements None

<LLMResponseSource>

The location of the payload for the LLM response to be extracted. Only string text values are supported.

This field supports Apigee message template syntax, including the use of variables or JSON Path functions. For example: 

{jsonpath('$.input.prompt.text',request.content,false)}
Default Value {jsonPath($.candidates[-1].content.parts,response.content,true)}
Required? Required
Type String
Parent Element <SanitizeModelResponse>
Child Elements None

Flow variables

Flow variables can be used to configure dynamic runtime behavior for policies and flows, based on HTTP headers or message content, or the context available in the Flow. For more information about flow variables, see Flow variables reference.

The policy can set these read-only variables during execution.

Variable name Description
SanitizeModelResponse.POLICY_NAME.templateUsed Specifies which model armor template is used. For example: projects/myproject/locations/us-west1/templates/mytemplate
SanitizeModelResponse.POLICY_NAME.userPrompt Specifies the prompt content used for the call to Model Armor to sanitize the content.
SanitizeModelResponse.POLICY_NAME.modelResponse Specifies the LLM response content used for the call to Model Armor to sanitize the content.
SanitizeModelResponse.POLICY_NAME.responseFromModelArmor Specifies the json response from Model Armor. Model Armor.
SanitizeModelResponse.POLICY_NAME.filterMatchState Specifies whether the filter was matched. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.invocationResult A field indicating the outcome of the invocation, irrespective of match status. It can have the following:
  • SUCCESS: All filters executed successfully.
  • PARTIAL: Some filters were skipped or failed execution.
  • FAILURE: All filters were skipped or failed execution.
SanitizeModelResponse.POLICY_NAME.raiFilterResult.executionState Rai filter execution result. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.raiFilterResult.matchState Rai filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.inspectResult.executionState Sdp filter inspect result execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.inspectResult.matchState Sdp filter inspect result match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.deidentifyResult.executionState Sdp filter de identify result execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.deidentifyResult.matchState Sdp filter de identify result match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.piAndJailbreakFilterResult.executionState Prompt injection and Jailbreak filter results execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.piAndJailbreakFilterResult.matchState Prompt injection and Jailbreak filter results match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.csamFilterFilterResult.executionState CSAM filter execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.csamFilterFilterResult.matchState CSAM filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.maliciousUriFilterResult.executionState Malicious URI filter execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED.
SanitizeModelResponse.POLICY_NAME.maliciousUriFilterResult.matchState Malicious URI filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND.
SanitizeModelResponse.POLICY_NAME.sanitizationMetadata.errorCode Custom overridden Error code if present in Model Armor response.
SanitizeModelResponse.POLICY_NAME.sanitizationMetadata.errorMessage Custom overridden Error code if present in Model Armor response.
SanitizeModelResponse.POLICY_NAME.csamFilterMatched/code> Boolean value indicating whether the CSAM filter matched.
SanitizeModelResponse.POLICY_NAME.maliciousURIs Appended list of malicious URIs detected by the malicious URI filter.
SanitizeModelResponse.POLICY_NAME.maliciousURIsDetected Boolean value indicating whether the malicious URI filter matched.
SanitizeModelResponse.POLICY_NAME.matchesFound Boolean value indicating whether any of the filters matched.
SanitizeModelResponse.POLICY_NAME.promptInjectionDetected Boolean value indicating whether the prompt injection filter matched.
SanitizeModelResponse.POLICY_NAME.promptInjectionConfidence Confidence level of prompt injection detection.
SanitizeModelResponse.POLICY_NAME.raiMatchesFound Boolean value indicating whether the RAI filter matched.
SanitizeModelResponse.POLICY_NAME.requestSentToModelArmor Boolean value indicating whether a request was sent to Model Armor.
SanitizeModelResponse.POLICY_NAME.sanitizeOperation Specifies the operation performed by the policy. Valid values include SANITIZE_USER_PROMPT and SANITIZE_MODEL_RESPONSE.

Error reference

This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee specific to the <SanitizeModelResponse> policy. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.

Runtime errors

Fault code HTTP status Cause
steps.sanitize.model.response.FilterMatched 400 This error occurs if the user prompt does not pass the Model Armor template check.
steps.sanitize.model.response.SanitizationResponseParsingFailed 500 This error occurs if the Model Armor response cannot be parsed.
steps.sanitize.model.response.FailedToExtractUserPrompt 500 This error occurs if the automatic user prompt extraction for the default value failed.
steps.sanitize.model.response.FailedToExtractLLMResponse 500 This error occurs if the automatic model response extraction for the default value failed.
steps.sanitize.model.response.InternalError 500 This error occurs if there is an internal server error.
steps.sanitize.model.response.ModelArmorTemplateNameExtractionFailed 500 This error occurs if the template name cannot be resolved.
steps.sanitize.model.response.AuthenticationFailure 500 This error occurs if the service account does not have permission to call the Model Armor API.
steps.sanitize.model.response.ModelArmorAPIFailed 500 This error occurs if the Model Armor API throws an error.
steps.sanitize.model.response.ModelArmorCalloutError 500 This error occurs if the Model Armor API call fails.
steps.sanitize.modelarmor.ServiceUnavailable 500 This error occurs if the Model Armor service is unavailable.

Deployment errors

These errors can occur when you deploy a proxy containing this policy.

Error name Cause
The ModelArmor/TemplateName element is required. Occurs if the <TemplateName> element in <ModelArmor> is not present.
The TemplateName element value is required. Occurs if the <TemplateName> value is empty.

Fault variables

These variables are set when this policy triggers an error at runtime. For more information, see What you need to know about policy errors.

Variables Where Example
fault.name="FAULT_NAME" FAULT_NAME is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. fault.name Matches "UnresolvedVariable"
SanitizeModelResponse.POLICY_NAME.failed POLICY_NAME is the user-specified name of the policy that threw the fault. SanitizeModelResponse.sanitize-response.failed = true

Example error response

{
  "fault": {
    "faultstring": "SanitizeModelResponse[sanitize-response]: unable to resolve variable [variable_name]",
    "detail": {
      "errorcode": "steps.sanitizemodelresponse.UnresolvedVariable"
    }
  }
}

Example fault rule

<FaultRule name="SanitizeModelResponse Faults">
    <Step>
        <Name>SMR-CustomSetVariableErrorResponse</Name>
        <Condition>(fault.name = "SetVariableFailed")</Condition>
    </Step>
    <Condition>(sanitizemodelresponse.failed = true)</Condition>
</FaultRule>

Model Armor template error code and error messages

The Model Armor template supports overriding error codes and error messages thrown by the SanitizeModelResponse policy's API requests. If the user sets the overrides, then the Model Armor error codes and error messages will populate the flow variables.

For example, a response with Model Armor error codes and messages could look like the following: 

{
"sanitizationResult": {
  "filterMatchState": "MATCH_FOUND",
  "filterResults": {...},
  "sanitizationMetadata": {
    "errorCode": "890",
    "errorMessage": "get out"
  },
  "invocationResult": "SUCCESS"
  }
}

Schemas

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.