en.Wedoany.com Reported - Ant Group recently open-sourced two AI security frameworks—SingGuard-NSFA for agent security and SingGuard for multimodal large models—aiming to shift from "vulnerability patching" to building a "security framework" to address behavioral risks posed by large models.
The MIIT's NVDB platform previously issued a risk warning, pointing out that Claude Code has a security backdoor risk that could collect sensitive information without user knowledge. OpenClaw has also been repeatedly exposed to high-risk vulnerabilities. This reflects a common development trajectory for current Agent products, from rapid adoption to eroded trust. As AI capabilities continue to grow, behavioral risks such as tool misuse, malicious code generation, and prompt injection are intensifying.

As the nature of security risks evolves, the industry is shifting its focus from reviewing model output content to ensuring model behavioral safety. The SingGuard-NSFA and SingGuard frameworks open-sourced by Ant Group are launched against this backdrop.

These frameworks come from Ant Group, a company long dedicated to payment security and risk control systems. AI security is a natural extension of its ongoing evolution in security capabilities.
Traditional AI security primarily relied on content review, but large models are no longer limited to chat; they now invoke tools and run code. Traditional content security classification systems cannot cover model behavioral risks. Meanwhile, multimodal risks exist not only in text but may also be hidden in image details, text-image combinations, or the model's own responses. The security red lines for different business scenarios are also dynamically changing. What the industry needs is not patches, but a foundational framework capable of defining security boundaries, addressing unknown risks, and adapting to rule changes.
SingGuard-NSFA is a dual-mode inference guardrail framework for agent security, available in four sizes: 0.8B, 2B, 4B, and 9B. This framework performs security checks before agent execution, setting up barriers at both the request interception and response fallback stages, advancing the defense line from text compliance to behavioral safety. This judgment is supported by a systematic NSFA risk classification system and a multilingual evaluation benchmark. Ant Group uses the CIA triad (Confidentiality, Integrity, Availability) as its theoretical foundation, combined with three OWASP guides for large model and agent security, to deconstruct agent risks. The framework employs a generative mode to output chain-of-thought reasoning analysis based on NSFA definitions for offline compliance auditing; a discriminative mode directly provides confidence scores for each risk domain with a latency of 45 to 57 milliseconds, suitable for high-throughput real-time online interception. Since the backbone network is frozen, new risks only require training lightweight classification heads, enabling native scalability.

This architecture can be used as a plugin. For example, adding a classification head to Llama Guard 3 improves the user request security benchmark F1 score by 17.6 percentage points. SingGuard-NSFA achieves state-of-the-art (SOTA) results on three evaluation benchmarks: user request security, model response security, and cross-dataset generalization. The 0.8B model performs on par with 8B competitors, while the 9B model achieves a 91.29% F1 score on generalization tasks, with a more balanced precision and recall.
The other open-sourced framework, SingGuard, targets multimodal large models and is available in four sizes: 0.8B, 2B, 4B, and 8B. This framework takes security rules as runtime input, allowing different business domains to deploy their respective red lines on the fly, and the model makes judgments rule by rule accordingly. On the inference side, it adopts a fast-slow division: fast thinking handles low-latency, instant judgments, while slow thinking handles deep, rule-by-rule reasoning, with automatic switching via early exit. To address the efficiency bottleneck of parallel review for multiple rules, Ant Group proposes RI-Mask, which encodes shared image-text context only once and enables parallel judgment of multiple rules, achieving up to a 5x speedup in multimodal reasoning.


SingGuard-NSFA and SingGuard target AI behavior and AI perception, respectively, but both emphasize process explainability and scalability for new risks. Which specific rule is violated and the basis for the decision can be traced, and new risks require only lightweight expansion.
Earlier this year, Ant Group's AI Security Lab discovered several high-risk vulnerabilities and assisted in their official remediation. Subsequently, Ant Group and Tsinghua University jointly open-sourced ClawAegis, providing agents with a security solution covering the entire product lifecycle. The open-sourcing of these security frameworks is a continuation of this path, from vulnerability discovery to scenario-specific solutions, and then to reusable foundational frameworks. Ant Group's agent security products have received the highest-level certification from the China Academy of Information and Communications Technology's (CAICT) TEL Laboratory.

As Agents become more deeply integrated into office, development, and daily life scenarios, AI security will enter a new phase. Establishing a security infrastructure that can continuously adapt to evolving risks is a core challenge the industry must address next.






