Gemini Agent Guardrails with Veto

Add runtime authorization to Google Gemini agents with function calling. Block dangerous actions, enforce policies, and require human approval for sensitive operations.

Start freeRead the docs

Gemini agent guardrails with Veto

Google Gemini authorization controls what actions your Gemini-powered agents can take through function calling. Veto intercepts function declarations before they reach Gemini, enforcing policies on tool execution without modifying your agent's logic.

Quick start

Wrap your Gemini function declarations with Veto's protect() function. The agent code stays the same. Authorization happens at the tool boundary.

TypeScript
import { GoogleGenerativeAI } from '@google/generative-ai'
import { protect } from 'veto-sdk'  // <- add this

const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY)
const model = genAI.getGenerativeModel({ model: 'gemini-2.0-flash' })

const tools = await protect([  // <- wrap with protect()
  {
    functionDeclarations: [
      {
        name: 'send_email',
        description: 'Send an email to a recipient',
        parameters: {
          type: 'object',
          properties: {
            to: { type: 'string', description: 'Recipient email' },
            subject: { type: 'string' },
            body: { type: 'string' },
          },
          required: ['to', 'subject', 'body'],
        },
      },
      {
        name: 'delete_file',
        description: 'Delete a file from the system',
        parameters: {
          type: 'object',
          properties: {
            path: { type: 'string', description: 'File path to delete' },
          },
          required: ['path'],
        },
      },
    ],
  },
])

const result = await model.generateContent({
  contents: [{ role: 'user', parts: [{ text: 'Clean up temp files' }] }],
  tools,
})

Policy rules

Define authorization policies in YAML. Rules evaluate tool calls against conditions like argument values, context, and rate limits.

veto/rules/gemini-safety.yaml
# veto/rules/gemini-safety.yaml
version: "1.0"
name: Gemini agent safety rules

rules:
  - id: block-external-emails
    name: Block emails to external domains
    action: block
    tools: [send_email]
    conditions:
      - field: arguments.to
        operator: not_matches
        value: "@company.com$"
    message: "External emails require approval"

  - id: require-approval-deletes
    name: Require approval for file deletions
    action: require_approval
    tools: [delete_file]
    conditions:
      - field: arguments.path
        operator: matches
        value: "^(?!/tmp/).*$"
    message: "Deleting non-temp files requires approval"

  - id: rate-limit-emails
    name: Rate limit email sends
    action: block
    tools: [send_email]
    conditions:
      - field: context.hourly_count
        operator: greater_than
        value: 10
    message: "Email rate limit exceeded"

Gemini-specific safety patterns

Common authorization patterns for Gemini agents with function calling.

Function-level authorization

Control which function declarations Gemini can invoke. Block destructive operations in production, allow them in development environments.

Argument validation

Validate function arguments against policies before execution. Block emails to external domains, restrict file paths, limit API endpoints.

Multi-modal safety

Gemini processes text, images, and audio. Apply different policies based on input modality and content type.

Grounding controls

When Gemini uses Google Search grounding, control what external data sources agents can access and cite.

How Veto protects Gemini agents

1

Wrap function declarations

Pass your Gemini function declarations through protect(). Veto registers them with the policy engine.

2

Agent calls a function

Gemini decides to call a function based on user input. The function call is intercepted before execution.

3

Policy evaluation

Veto evaluates the function name and arguments against your policies. Allow, deny, or route to human approval.

4

Enforcement

Only authorized function calls execute. Blocked calls return a configurable response. All decisions logged for audit.

Related integrations

Claude

Anthropic Claude SDK integration

OpenAI

OpenAI GPT agents with authorization

LangChain

LangChain agent guardrails

View all integrations

Frequently asked questions

How do Gemini agent guardrails work?
Veto intercepts function calls from Gemini before execution. Each call is evaluated against your YAML policies. If a policy matches, Veto enforces the action: allow the call, block it with a message, or route to human approval. The agent cannot bypass these checks.
Can I use Veto with Gemini's native safety settings?
Yes. Veto operates at the function-call level, complementing Gemini's built-in content safety filters. Use Gemini's safety settings for content moderation and Veto for action authorization. They work together without conflicts.
Does Veto support Gemini's multi-modal capabilities?
Veto focuses on function calling authorization. For multi-modal inputs (images, audio), Gemini processes them first, then function calls are intercepted. You can apply different policies based on the function being called and its arguments.
How do I handle Gemini grounding with Google Search?
When Gemini uses Google Search grounding, function calls can include search results as context. Veto policies can inspect these arguments and block or approve based on the data being accessed. Define rules that check function arguments for sensitive patterns.

Secure your Gemini agents in minutes.

Start freeView on GitHub