Intervention points concepts - Microsoft Foundry Docs

Agentic AI expands both capability and attack surface. When an agent can call external tools, write to databases, or trigger downstream processes, malfunctions or malicious attacks can steer it off course, leak sensitive data, or execute harmful actions. Guardrails applied only at the model level can leave these vectors exposed. To close this gap, Microsoft Foundry lets you apply guardrails directly to agents and configure individual controls at four different intervention points.

Intervention points

Intervention Point	Description	Example Control at this Intervention Point
User input	A query sent from a user to a model or agent. Sometimes referred to as “prompt.” Some controls at this intervention point require the inclusion of document embedding by the user to take effect.	Risk: User input attacks Action: Annotate and block When this control is specified in an agent’s or model’s guardrail, the user’s input is scanned by a classification model that detects jailbreak attacks. If an attack is detected, the user’s input is blocked from being sent to the model, halting the interaction.
Tool call (Preview)	The next action the agent is proposing to take, as generated by its underlying model. The tool call consists of which tool is called and the arguments it’s called with, including data being sent to the tool.	Risk: Hate (High) Action: Annotate and block When this control is specified, every time the agent is about to execute a tool call, the proposed content being sent to the tool is scanned for hateful content. If any is detected, the tool call won’t be executed, and the agent stops functioning until there is another user input.
Tool response (Preview)	The content sent back by a tool, internal to an agent’s orchestration and before the content is added to the agent’s memory or returned to the end user.	Risk: Indirect attack Action: Annotate and block When this control is specified, the full payload sent back from each tool to this agent is scanned for attempted indirect prompt injection attacks. If detected, the agent stops operating immediately, and prevents the malicious content from being saved by the agent and from maliciously steering the agent off-track.
Output	The final content sent back to the end user in response to their query.	Risk: Protected Material for Text Action: Annotate only When this control is specified, the final content meant to be displayed to the user is scanned for certain types of copyrighted text. If detected, there is a flag in the annotation response for the API used to call this model or agent.

Performance considerations
Guardrail processing at each intervention point adds approximately 50-100ms of latency. The actual latency varies based on content length and the number of active controls in your guardrail.

Configure controls at intervention points

When creating a guardrail, you select which controls to enable and at which intervention points to apply them. For example, to protect against indirect attacks in tool responses:

Create a guardrail in Foundry portal.
Add a control for “Indirect attack” risk.
Select “Tool response” as the intervention point.
Choose “Annotate and block” as the action.

For detailed steps, see Create a guardrail.

Supported tools

Tool call and tool response intervention points require moderation support from the tool itself. Currently, the following tools support moderation: Azure AI Search, Azure Functions, OpenAPI, Sharepoint Grounding, Fabric Data Agent, Bing Grounding, Bing Custom Search, and Browser Automation. If you configure controls at tool call or tool response intervention points but your agent uses tools not in this list, those controls won’t take effect for those specific tools.

How to configure guardrails and controls in Microsoft Foundry

Content Streaming in Azure OpenAI