Trust & Architecture

How Guard works.

Guard is a compliance platform that sits between your AI tools and the AI provider. It intercepts every API call, scans for Australian PII and prompt injection, enforces data jurisdiction, generates a cryptographically signed attestation, and stores it in a 7-year tamper-evident audit trail.

This page explains how Guard works, where it runs, and how it maps to your regulatory obligations. It's written for the people who need to evaluate Guard before recommending it: CISOs, heads of compliance, IT architects, and security teams.

Architecture overview

Guard is an API proxy running on Google Cloud infrastructure in Sydney (australia-southeast1). It sits between your application (or your staff's AI tools) and the AI provider: OpenAI, Azure OpenAI, Anthropic Claude, AWS Bedrock, Google Vertex AI, or any other model accessible via API.

Integration requires two configuration changes: update the base URL to point to Guard, and add a Guard API key. Your application talks to Guard exactly as it would talk to the AI provider directly. No SDK changes, no code refactoring.

On every API call, Guard performs the following sequence before the request reaches the AI model:

  1. 1
    PII scan — scans prompt text and attachment content for Australian PII types
  2. 2
    Prompt injection scan — checks for known injection patterns in both text and documents
  3. 3
    Jurisdiction check — verifies the destination meets your data residency policy
  4. 4
    Policy enforcement — applies your configured action (block, mask, flag and allow)
  5. 5
    Attestation generation — creates a cryptographically signed record of the call and all check results
  6. 6
    Evidence storage — writes the attestation to an immutable, append-only evidence vault with 7-year retention
Your app (or AI tool) API call Guard Sydney (australia- southeast1) Scan · Sign · Enforce forwarded AI provider OpenAI · Bedrock etc. attestation Evidence vault (7-yr)

Every API call is intercepted, scanned, attested, and evidence written to the vault — before the request reaches the AI provider.

Infrastructure and security

Guard runs on infrastructure designed to meet the security requirements of Australian regulated industries.

Hosting
Google Cloud Platform, Sydney region (australia-southeast1). IRAP PROTECTED-assessed infrastructure. HCF Certified Strategic hosting certification.
Data boundary enforcement
Google Cloud Assured Workloads ensures that data processing and storage remain within Australian infrastructure boundaries.
Encryption
Customer-managed encryption keys (CMEK) via Google Cloud KMS. Your organisation holds and controls the encryption keys used to protect your data.
Cryptographic signing
Attestations are signed using Cloud KMS ECDSA P-256 as the primary method, with HMAC-SHA256 as a fallback. Signatures are independently verifiable.
Availability
99.9% uptime SLA. Configurable fail behaviour: fail-open (allow calls, log the gap) or fail-closed (block calls until Guard is available).
Data storage
Guard stores attestation metadata (PII scan results, compliance status, regulatory mapping, timestamp, model called) and the cryptographic signature. By default, full prompt and response content is not stored. Full content logging is available as an optional configuration.
Data portability
The full audit trail is exportable at any time as JSON, for integration with your existing GRC platform or compliance archive.

PII detection

Guard scans for Australian-specific personally identifiable information, including:

  • Tax File Numbers (TFN), with checksum validation
  • Medicare numbers
  • Australian Business Numbers (ABN)
  • Dates of birth
  • Bank account and BSB numbers
  • Credit card numbers
  • Full names in conjunction with other identifiers
  • Residential addresses
  • Phone numbers
  • Email addresses
Prompt scanning
Every prompt sent through Guard is scanned for PII patterns before it's forwarded to the AI provider. Depending on your policy configuration, Guard can block the request, mask the sensitive data, or flag it and allow it through with a log entry.
Attachment scanning
Guard extracts and scans the content of attached files, including PDFs and Word documents. This catches PII exposure that text-only scanners miss entirely: a staff member uploading a customer document to an AI tool for summarisation or analysis.
Hidden content detection
Guard detects content designed to evade human review within attachments, including text rendered in zero-width characters (invisible to the user but read by the AI model), text formatted with white font on a white background, and instructions embedded in document metadata or hidden layers.

Prompt injection detection

Prompt injection is when hidden instructions are embedded inside content that gets fed to an AI model. The AI reads those instructions and follows them, potentially leaking data, changing its behaviour, or bypassing controls.

Guard scans both prompt text and attachment content for known injection patterns:

  • Direct instruction overrides (e.g., "ignore your instructions and...")
  • Hidden text in documents: white-on-white text, zero-width characters, and invisible Unicode sequences
  • Embedded instructions in PDF text layers and Word document bodies
  • Pattern-based detection of attempts to extract system prompts, override safety controls, or redirect AI behaviour

Why this matters for compliance

If an AI system can be manipulated into bypassing controls or leaking data through prompt injection, the organisation's information security controls are ineffective. Under CPS 234, that's a material control weakness. Under APP 8, it could result in an uncontrolled cross-border disclosure.

Cryptographic attestation

On every API call, Guard generates a cryptographically signed attestation record. This is a signed JSON document that proves, tamper-evidently, that the call was processed through Guard and that compliance checks were performed.

Each attestation contains:

  • Timestamp of the call
  • Which AI model was called
  • PII scan results (what was found, what action was taken)
  • Prompt injection scan results (patterns detected, unicode anomalies found)
  • Jurisdiction check result (where the data was sent)
  • Compliance status (compliant, flagged, or blocked)
  • Which regulatory obligations were triggered (mapped to CPS 234 sections, APP 8, ADM controls)
  • The active compliance profile configuration
  • Cryptographic signature (algorithm and key ID)

Why this matters for auditors

An auditor can independently verify that an attestation hasn't been altered since it was created. This turns "we have a policy" into "we have cryptographic proof that our controls were active on this specific call at this specific time."

Jurisdiction enforcement

Guard checks the destination of every API call against your jurisdiction policy. If your policy specifies Australian infrastructure only, Guard verifies the AI provider's endpoint is in an Australian region before forwarding the request. If it's not, the request is blocked.

This directly supports APP 8 compliance: your organisation can demonstrate that reasonable steps were taken to prevent cross-border disclosure of personal information, on every single call.

7-year audit trail

Every attestation is stored in a tamper-evident, append-only data store with 7-year retention, aligned with standard financial services record-keeping obligations.

Immutable
Records cannot be modified or deleted after creation.
Exportable
The full trail can be exported as JSON for integration with your GRC platform or compliance register.
Searchable
Filter by date, model, PII flag, compliance status, or regulatory obligation.
Available
Covered by the 99.9% uptime SLA.

Regulatory mapping

Guard maps its findings to three regulatory frameworks on every call.

CPS 234 (APRA Information Security)

Board responsibility (S15)

Compliance dashboard provides real-time view of AI security posture. Board reports exportable directly.

Security capability (S16–18)

Guard monitors every AI provider interaction automatically. Third-party AI providers are assessed on every call.

Controls (S22–23)

PII scanning, jurisdiction enforcement, prompt injection detection, and content policy checks enforced on every API call.

Testing (S27–31)

Continuous attestation provides evidence that controls were active and effective on every call, not just at testing time. Exportable as JSON for auditor review.

Incident notification (S35)

PII finding logs and compliance status records create an evidence trail for identifying and reporting incidents. If PII was exposed, Guard's logs show exactly when, what type, and where it went.

Control weakness (S36)

Real-time monitoring surfaces control weaknesses immediately, not months later during an audit.

APP 8 (Cross-border disclosure)

Reasonable steps

PII scanning on every prompt before data leaves the organisation. PII can be blocked, masked, or flagged according to policy.

Jurisdiction enforcement

Per-call verification that data destinations meet your residency policy.

Accountability

Signed attestation on every call creates evidence that reasonable steps were taken.

Documentation

7-year tamper-evident record, ready for auditor review at any time.

ADM transparency (December 2026)

Identify ADM systems

Logs every AI interaction: which model, what data, what response. Creates the inventory of ADM systems your organisation needs.

Disclose decision types

Regulatory mapping tags each call against applicable obligations, creating the raw material for privacy policy disclosures.

Disclose personal information types

PII detection log records exactly which types of personal information were present in each interaction.

Human-in-the-loop logging

Logs every AI interaction regardless of whether it's fully automated or human-assisted. Captures the AI's contribution to the decision.

Compliance reporting

Guard generates two types of compliance reports as downloadable PDFs:

CPS 234 compliance reports
Map Guard evidence against CPS 234 control sections (asset classification, third-party oversight, controls active, incident management). Designed to go straight into an auditor's evidence pack or a board paper.
ADM transparency reports
Document AI system usage, data inputs, decision basis, and attestation integrity against ADM transparency controls. Ready for the December 2026 obligations.

What Guard doesn't replace

Guard is the continuous monitoring and evidence layer for AI usage. It does not replace your organisation's broader information security framework, board-level AI governance policy, privacy impact assessments, incident response planning, or vendor risk assessments for non-AI systems. These remain your responsibility (or your consulting partner's). Guard handles the part that nobody else can do continuously and automatically: proving your AI controls are working, on every call, with signed evidence.

Questions?

If you'd like to discuss Guard's architecture, security, or compliance capabilities in more detail, book a 45-minute technical call with our team.

Book a 45-minute technical call → Back to FAQ

40° South acknowledges the Traditional Custodians of the lands on which we work and live. We pay our respects to Elders past, present, and emerging, and recognise their continuing connection to land, waters, and culture.