On July 13, the Ant AI Security Lab announced the open-source of the intelligent agent safety barrier SingGuard-NSFA and disclosed detailed information about the multimodal safety barrier SingGuard. The two models are designed for two cutting-edge scenarios: "autonomous executing agents" and "multimodal interaction large models," marking Ant's further improvement of its systematic layout in the field of AI security.
As AI moves from content generation to autonomous execution, security issues are expanding from model output to behavior control, permission management, and system governance. Intelligent agents now independently call tools, run code, and plan tasks, while models have gradually gained the ability to understand multimodal information such as images and text. As AI system capabilities continue to expand, new security challenges arise.
In the past year, security incidents such as prompt injection, misuse of permissions, malicious code execution, and data leaks have continued to occur. Examples include the prompt poisoning of Amazon Q, the data leak of Microsoft Copilot, and the prompt injection risks exposed by the open-source agent OpenClaw. These cases show that the stronger the autonomy of intelligent agents, the more pronounced the amplification effect of security risks. In December 2025, OWASP released the "Top 10 Risks for Intelligent Agent Application Security," systematically summarizing unique security threats of intelligent agents; in May 2026, the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Industry and Information Technology jointly issued the "Opinions on the Standardized Application and Innovative Development of Intelligent Agents," which clearly outlined requirements for intelligent agent security governance at the national level for the first time.
In this context, the open-sourcing of these two security models by the Ant AI Security Lab aims to provide more comprehensive underlying security capabilities for large models and intelligent agents.
SingGuard-NSFA: Install a "Real-Time Brake" for Intelligent Agent Operations
As intelligent agents move from "answering questions" to "performing tasks autonomously," AI begins to call tools, execute code, and orchestrate multi-step tasks. Security risks are no longer limited to the content level but increasingly appear in the behavioral level. Issues such as prompt injection, sensitive information theft, malicious code execution, resource exhaustion, and permission abuse are difficult to effectively cover with traditional content review systems.
To address this pain point, the Ant AI Security Lab introduced SingGuard-NSFA, which performs real-time security detection before an intelligent agent executes actions, building a behavioral security protection system from both request interception and response backup.
SingGuard-NSFA is based on the CIA (Confidentiality, Integrity, Availability) principles and combines international security guidelines such as OWASP. It categorizes intelligent agent risks into seven major categories, 28 intermediate categories, and 185 specific scenarios, and establishes a comprehensive intelligent agent security evaluation system covering 133 languages and nearly 100,000 samples.
In terms of technical implementation, SingGuard-NSFA meets both security audit and real-time protection needs. It provides two working modes: one mode can generate detailed risk analysis reports line by line, facilitating post-event review and compliance records; another mode can complete single-risk assessment within about 50 milliseconds, suitable for real-time interception in high-concurrency online scenarios. It also offers four model sizes: 0.8B, 2B, 4B, and 9B, meeting different deployment needs.

Multiple public evaluations show that SingGuard-NSFA achieves leading performance in intelligent agent input and output security detection. For instance, the 0.8B model can achieve the performance level of an 8B model. When adding new risk categories, only a lightweight module needs training without retraining the entire model, further enhancing the detection capability of existing security barriers.
SingGuard: A "Versatile Gatekeeper" for Multimodal Content Security
Another critical defense line parallel to intelligent agent operational security is content security in multimodal interaction scenarios. In June this year, Anthropic released its flagship model Claude Fable5, which was bypassed by researchers using Unicode characters and Cyrillic letters to replace sensitive words within days— the model could restore the original meaning, but the classifier regarded it as unfamiliar spelling, thus exposing the system prompt. This indicates that the more capable a model is at understanding distorted text, images, and cross-modal information, the more inadequate traditional keyword-based barriers become.
SingGuard was designed specifically for this purpose. It establishes a unified security judgment framework for text, images, and cross-modal content, identifying complex attacks where malicious actions are hidden in different modalities like text or images. It also supports dynamic loading of natural language security rules during runtime, allowing rule updates without retraining the model, making it more suitable for production environments with continuously evolving rules and high traffic.
In terms of reasoning mechanisms, SingGuard adopts a "fast and slow" approach: it first quickly completes preliminary judgments, and only initiates further reasoning when facing complex scenarios, ensuring efficiency while improving detection accuracy.

In six major categories of evaluations covering text queries, text responses, images, multimodal, and multilingual content, SingGuard achieved the highest average F1 score across 35 datasets and evaluation splits. Its comparison objects include industry-leading mainstream barriers such as Llama Guard3, Google ShieldGemma, GPT-5.1, and Gemini3-Pro, and SingGuard has consistently outperformed them.
Huna Ying, Deputy Director of the Security Governance Department at the Institute of Artificial Intelligence, China Academy of Information and Communications Technology, stated that as large models transition from content generation to autonomous execution, AI security is extending from content review to behavioral control and system governance, becoming a crucial foundational capability for the large-scale application of intelligent agents. The Ant AI Security Lab has conducted specialized security audits on the open-source intelligent agent framework OpenClaw and, in April this year, jointly launched the open-source intelligent agent security defense plugin ClawAegis with Tsinghua University, providing comprehensive security protection throughout the lifecycle of autonomous agents. The open-sourcing of SingGuard-NSFA and the multimodal security barrier SingGuard represents an important practice of Ant Group's continuous efforts in AI security technology research and development and the construction of an open ecosystem.
The development and open-sourcing of these security technologies are built upon over two decades of security technology experience accumulated by Ant Group. Relying on long-term practices in payment security, data security, privacy protection, and risk governance, Ant continues to improve its AI security system. Relevant capabilities have already been applied in business scenarios such as Ant Afu, the AI version of Alipay "Abao," and "AI Pay" on Alipay.
At the same time, Ant Group continues to participate in the development of AI security standards and governance systems. It has participated in the drafting of the "Technical Specification for Trusted Interconnection of Terminal Intelligent Agents" by IIFAA, led the initiation of the ITU international standard "Technical Specification for Trusted Interconnection of Terminal Intelligent Agents," and released the intelligent agent security and trusted interconnection protocol ASL, continuously promoting the transformation of AI security capabilities from technological innovation to industrial practice.
