Proposed Integration: Aegis Protocol as a Zero-Trust Identity + Governance Layer for NeMo Guardrails Deployments

[RandWhyTheQAGuy]

Hi NeMo team and community,

I’d like to open a discussion around a potential integration between NeMo Guardrails / Aegis Content Safety and an open source project I've been working on called Aegis Protocol. It is an identity, security, and governance framework for agentic systems under Apache 2.0 and written in C++/Python.

Repo: https://github.com/RandWhyTheQAGuy/aegis-protocol

The short version: NeMo Guardrails does an excellent job filtering what agents say and do at the content layer. Aegis Protocol operates one layer below that - establishing who the agent is, whether it's authorized to act, and creating a tamper-evident record of every decision it makes. These two projects are complementary, rather than overlapping.

Specific integration points identified:

1. SemanticClassifier ↔ Aegis Content Safety harm taxonomy: Aegis Protocol's SemanticClassifier evaluates agent actions on an Authority/Sensitivity axis. Right now that scoring is calibrated by the deploying team. Aegis Content Safety's 13-category harm taxonomy (violence, PII, etc.) is a natural upstream input to the Sensitivity dimension; a pre-trained, production-grade signal that eliminates the need for every deployment team to define harm categories from scratch. The classifier architecture is explicitly designed for composable scoring inputs.
2. PII detection on the vault write path: Aegis Protocol's ColdAuditVault and TransparencyLog create append-only, hash-chained records of every policy decision and session event. Because these logs are immutable by design, PII that enters them cannot be redacted later. Aegis Content Safety's PII detection category sitting on the vault write path - screening content before it's committed - solves a real and underappreciated compliance problem for teams building in regulated environments.
3. Incident classification via harm categories: When the Aegis Protocol session state machine escalates an agent to QUARANTINE based on cumulative behavioral anomaly pressure, it delivers tainted payload hashes to an operator-supplied callback. Running those payloads through Aegis Content Safety at that point transforms a raw anomaly signal into a labeled, categorized incident record - making the IncidentManager output far more actionable for human reviewers and directly mappable to OWASP LLM Top 10 v2025 categories that Aegis Protocol already aligns to.

Standards alignment in common:

Aegis Protocol is explicitly aligned to NIST AI RMF 1.0, NIST SP 800-53 Rev 5, DoD Zero Trust Reference Architecture v2.0, and OWASP LLM Top 10 v2025.

I've put together a concrete integration example at https://github.com/RandWhyTheQAGuy/aegis-protocol/blob/main/aegis_protocol_nemo_integration.py if there's interest from the maintainers or community. Curious whether others have approached the problem of identity and governance beneath the guardrails layer, and whether the NeMo team has a preferred pattern for this kind of composable security integration.