Integrations/Gemini

Gemini runtime authorization

Wrap Gemini function declarations with Veto. Each governed function declaration is evaluated before dispatch: allow, review, or deny, with an exportable decision record per governed decision.

Sign upRead docsBook a call

Gemini runtime authorization

Google Gemini guardrails controls what actions your Gemini-powered agents can take through function calling. Veto evaluates function calls after Gemini emits them and before your tool executes, enforcing policies on tool execution without modifying your agent loop. Use it with Gemini models that support function calling.

Gemini runtime authorization, Google Gemini guardrails, Gemini function declarations, Gemini tool call policy, Gemini function calling guardrails

Why Gemini agents need guardrails

Gemini's function calling lets agents interact with external systems: send emails, modify databases, delete files, make payments. The model decides which functions to call and with what arguments. That decision is probabilistic. Gemini's built-in safety settings handle content moderation (harassment, hate speech, dangerous content) but they do not control which functions execute or validate function arguments.

A Gemini agent told to "clean up old files" might call delete_file on production data. An agent processing customer requests might call send_email to external addresses with sensitive data. These are not content-filter problems. They are runtime authorization problems. Veto decides them at the function call boundary.

Install the SDK

Wrap your Gemini function declarations with Veto's protect() function. The agent code stays the same. Enforcement happens at the tool boundary.

Gemini + Veto install guide
import { GoogleGenerativeAI } from '@google/generative-ai';
import { protect } from 'veto-sdk';

const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY!);
const model = genAI.getGenerativeModel({ model: process.env.GEMINI_MODEL! });

const rawTools = [
  {
    functionDeclarations: [
      {
        name: 'send_email',
        description: 'Send an email to a recipient',
        parameters: {
          type: 'object',
          properties: {
            to: { type: 'string', description: 'Recipient email' },
            subject: { type: 'string' },
            body: { type: 'string' },
          },
          required: ['to', 'subject', 'body'],
        },
      },
      {
        name: 'delete_file',
        description: 'Delete a file from the system',
        parameters: {
          type: 'object',
          properties: {
            path: { type: 'string', description: 'File path to delete' },
          },
          required: ['path'],
        },
      },
    ],
  },
];

// Guardrails enforced before Gemini sees the tools.
const tools = await protect(rawTools);

const result = await model.generateContent({
  contents: [{ role: 'user', parts: [{ text: 'Clean up temp files' }] }],
  tools,
});

Function call interception

For more control, intercept Gemini function call responses individually. This pattern works when you need to handle approval workflows or return custom error messages to the model.

Intercept individual function calls
import { Veto } from 'veto-sdk';

const veto = await Veto.init({ apiKey: process.env.VETO_API_KEY });

async function handleGeminiFunctionCall(
  functionCall: { name: string; args: Record<string, unknown> }
) {
  // Validate the function call before executing
  const decision = await veto.guard(functionCall.name, functionCall.args);

  if (decision.decision === 'deny') {
    return {
      functionResponse: {
        name: functionCall.name,
        response: { error: decision.reason },
      },
    };
  }

  if (decision.decision === 'require_approval') {
    return {
      functionResponse: {
        name: functionCall.name,
        response: { error: 'This action requires human approval. Request ID: ' + decision.approvalId },
      },
    };
  }

  // Execute the function
  const result = await executeTool(functionCall.name, functionCall.args);
  return {
    functionResponse: {
      name: functionCall.name,
      response: result,
    },
  };
}

Policy rules

Define policies in YAML. Rules evaluate tool calls against conditions like argument values, context, and rate limits.

veto/rules/gemini-safety.yaml
version: "1.0"
name: Gemini agent safety rules

rules:
  - id: block-external-emails
    action: block
    tools: [send_email]
    conditions:
      - field: arguments.to
        operator: not_matches
        value: "@approved\.example\.com$"
    message: "External emails require approval"

  - id: require-approval-deletes
    action: require_approval
    tools: [delete_file]
    conditions:
      - field: arguments.path
        operator: not_matches
        value: "^/tmp/"
    message: "Deleting non-temp files requires human approval"

  - id: rate-limit-emails
    action: block
    tools: [send_email]
    conditions:
      - field: context.hourly_count
        operator: greater_than
        value: 10
    message: "Email rate limit exceeded (10/hour)"

Multi-modal action control

Gemini processes text, images, audio, and video. Regardless of what input triggers a function call, Veto evaluates the call against your policies. An image containing a prompt injection the policy decision is outside the prompt path because Veto operates at the function call layer, not the content layer.

Multi-modal input with guarded tools
import { protect } from 'veto-sdk';

// Gemini processes images, audio, and video.
// Veto controls what functions can execute regardless of input modality.

const tools = await protect([
  {
    functionDeclarations: [
      {
        name: 'analyze_document',
        description: 'Extract and process document contents',
        parameters: {
          type: 'object',
          properties: {
            action: { type: 'string', enum: ['read', 'summarize', 'export'] },
            format: { type: 'string', enum: ['text', 'json', 'csv'] },
          },
          required: ['action'],
        },
      },
    ],
  },
]);

// Upload an image and let Gemini analyze it - with guardrails
const result = await model.generateContent([
  { inlineData: { mimeType: 'image/png', data: base64Image } },
  { text: 'Extract all PII from this document and export as CSV' },
  // Veto can block the 'export' action while allowing 'read' and 'summarize'
]);

Gemini-specific action patterns

Function-level guardrails

Control which function declarations Gemini can invoke. Block destructive operations in production, allow them in development environments. Policies apply per-environment without code changes.

Argument validation

Validate function arguments against policies before execution. Block emails to external domains, restrict file paths to approved directories, enforce amount limits on financial operations.

Grounding controls

When Gemini uses Google Search grounding, function call arguments may contain external data. Veto policies inspect these arguments and block or approve based on content patterns and data sensitivity.

Rate limiting

Prevent runaway agents from executing too many function calls. Set per-tool, per-user, or global rate limits. Critical for cost control when Gemini agents run in production loops.

How Veto protects Gemini agents

1

Wrap function declarations

Pass your Gemini function declarations through protect(). Veto registers them with the policy engine and returns compatible declarations.

2

Agent calls a function

Gemini decides to call a function based on user input. The function call is intercepted before execution.

3

Policy evaluation

Veto evaluates the function name and arguments against your policies. Deterministic rules, no LLM involved in the policy decision.

4

Enforcement

Only allowed function calls execute. Blocked calls return a configurable response to Gemini. Governed decisions logged for evidence review.

Frequently asked questions

How does runtime authorization differ from Gemini content settings?
Gemini content settings filter categories such as harassment, hate speech, and dangerous content. Veto controls function execution: which functions can run, with what arguments, and under what conditions. Use content settings for text and media; use Veto for actions.
Which Gemini models work with Veto?
Use Gemini models that support function calling. Veto operates at the function declaration level, so the integration belongs at tool dispatch rather than inside a model-specific prompt.
What happens when image prompt injection targets function calls?
Veto evaluates function calls after Gemini decides what to call. If an image prompt injection leads to a high-impact function call, the governed call is still evaluated against policy before execution.
How does Veto handle Gemini's parallel function calling?
Gemini can return multiple function calls in a single response. Veto evaluates each call independently against your policies. Some calls may be allowed while others are blocked. The agent receives the mixed results and can continue accordingly.

Related integrations

Claude

Anthropic Claude SDK integration

OpenAI

OpenAI GPT agents with guardrails

Amazon Bedrock

AWS Bedrock agent runtime authorization

Browse integrations

Wrap one Gemini tool path and inspect the decision record.

Sign upRead docsBook a call