Layer 1: regex blacklist on known patterns (decode tricks, “ignore previous”). Layer 2: Presidio redacts PII. Layer 3: Lakera scores jailbreak risk. Layer 4: low temperature and constrained decoding at the LLM step. Each layer can fail; redundancy catches the rest.
Regex: “ignore previous” pattern -> reject.
Presidio: redact emails/phones before model sees them.
Lakera: classifier score < 0.85 -> reject.
LLM step: temperature=0, max_tokens=200, JSON-mode constrained output.
input -> regex -> presidio -> lakera -> low-T constrained LLM
Each layer reduces attack surface
No single defense catches everything. Layered + low temperature + constrained output is robust.