[BUG] Structured output model triggering Prompt Attack Guardrail

[juliangrueber]

Checks

• I have updated to the lastest minor and patch version of Strands
• I have checked the documentation and this is not expected behavior
• I have searched ./issues and there are no duplicates of my issue

Strands Version

1.17.0

Python Version

3.12

Operating System

CloudDesktop

Installation Method

pip

Steps to Reproduce

1. Create a Bedrock Guardrail with a prompt attack filter (strength: medium).
2. Add the guardrail to the Bedrock Model.
3. Define a structured output model.
4. Add the structured output model and the Bedrock Model to the agent.
5. Run agent("Hello").

The stop reason will be "guardrail_intervened" due to the following message:

sdk-python/src/strands/event_loop/event_loop.py

Lines 233 to 235 in 62534de

	await agent._append_message(
	{"role": "user", "content": [{"text": "You must format the previous response as structured output."}]}
	)

Expected Behavior

The usage of an structured output model should not trigger the guardrails

Actual Behavior

guardrail intervened

Additional Context

No response

Possible Solution

No response

Related Issues

No response

[mkmeral]

hey Julian, can you share your code on how Bedrock model provider is configured? And can you let me know what problem are you trying to solve by enabling/disabling guardrails for different requests?

With the current behavior of Strands Agents, when guardrail ID is configured, all requests sent to Bedrock will go through guardrails, regardless of how you call the agent.

If you would like to avoid invoking guardrails, you would need to update model provider config to remove guardrail id and/or guardrail version.

# 1. Configure Bedrock model WITH guardrails initially
model = BedrockModel(
    model_id="us.anthropic.claude-sonnet-4-20250514-v1:0",
    guardrail_id="your-guardrail-id",
    guardrail_version="1",
    region_name="us-west-2"
)

# 2. Create agent with the model
agent = Agent(
    name="weather-agent",
    model=model,
    instructions="You are a helpful weather assistant."
)

# 3. Call agent normally (guardrails will be applied)
response = agent("What's the weather like?")
print(response)

# 4. Update model config to REMOVE guardrails before structured output
model.update_config(
    guardrail_id=None,
    guardrail_version=None
)

# 5. Now call structured output without guardrails
result = agent.structured_output(
    output_model=WeatherResponse,
    prompt="What's the weather in Seattle?"
)
print(result)

[juliangrueber]

Thanks a lot for the prompt response. The system prompt does not get checked by guardrails, see Guarding a system prompt sent to the Converse API. This default behaviour is inherited by Strands, too.

The root cause is that we present the system instruction "You must format the previous response as structured output." as a user message which causes the false positive by the Bedrock Guardrails.

The following two approaches can solve this:

1. Change the message to {"role": "assistant", "content": [{"text": "I must format the previous response as structured output."}]}
2. Apply guardContent in the message, see Evaluate only specific content in a message

This would be the code to reproduce the issue:

from strands import Agent
from strands.models import BedrockModel


import logging
from concurrent.futures import ThreadPoolExecutor
from collections import Counter

from pydantic import BaseModel

class output(BaseModel):
    age: str
    user_message: str

logging.basicConfig(level=logging.INFO)

SYSTEM_PROMPT = "You are an friendly assistant"

n_experiments = 1

def run_agent():
    model = BedrockModel(
        region_name="eu-central-2",
        model_id="anthropic.claude-3-5-sonnet-20240620-v1:0",
        guardrail_id="<YOUR-GUARDRAIL-ID>",
        guardrail_version="<YOUR-GUARDRAIL-VERSION>",
        guardrail_trace="enabled_full",
    )
    agent = Agent(system_prompt=SYSTEM_PROMPT, 
                  model=model, 
                 structured_output_model=output)
    return agent("hello, how are you doing?")

with ThreadPoolExecutor(max_workers=10) as executor:
    results = list(executor.map(lambda _: run_agent(), range(n_experiments)))

stop_reasons = [r.stop_reason for r in results]

counts = Counter(stop_reasons)
print(f"Stop reason counts: {dict(counts)}")


print(results[0].to_dict())