MiniGuard-v0.1: Prem's Guardrail Model Redefining the Pareto Frontier

Surya Kant Sahu

ojus1

Follow

prem-research

Jaipal Singh

JaipalSingh

Follow

prem-research

13x smaller. 2.5x faster. 67% cheaper to serve on Modern GPUs.

Model: prem-research/MiniGuard-v0.1 Dataset: prem-research/MiniGuard-Safety-Dataset

The Problem With Big Guard Models

The current generation of safety classifiers (Llama Guard, Aegis Guard, Nemotron Guard) are good at their job. Nemotron-8B achieves strong accuracy across diverse safety categories, from harmful instructions to sexual content to discrimination. But "8B" is doing a lot of work in that name. At 8B parameters, you're adding real infrastructure cost and latency to every request.

For applications where safety classification sits in the critical path (chatbots, content generation, agentic workflows) this creates a tax. Not on correctness, but on experience. Users wait longer. Costs go up. And teams start making compromises they'd rather not make.

What If the Problem Is Just Data?

The conventional wisdom is that safety classification is hard because it requires understanding context, intent, and nuance. A message containing "kill" could be a threat, a video game discussion, or cooking instructions. Distinguishing between them seems like it should require a large model with broad world knowledge.

But when we looked at where big models actually outperformed small ones, we found something interesting. It wasn't general reasoning. It was specific patterns. Trigger words that look dangerous out of context. Edge cases where phrasing matters. Categories where the training data was sparse.

This suggested a different approach. What if we could teach a small model exactly what a large model knows about these specific hard cases, without trying to transfer general language understanding?

Building MiniGuard

MiniGuard-v0.1 is trained using four techniques, each targeting a specific gap between small and large model performance.

Targeted synthetic data. We identified trigger words that cause false positives. Terms like "kill," "shoot," "hot," "destroy" that appear in both harmful and benign contexts. Then we generated training examples specifically around these patterns. The goal wasn't more data, but the right data. Examples that teach the model when "shoot the photo" is different from "shoot the target."

Step-by-step distillation. Rather than just training on Nemotron's final classifications, we trained on its reasoning process. When the teacher model works through why a message is or isn't harmful, that reasoning becomes supervision for the student. This transfers the decision-making logic, not just the outputs.

Model soup. We trained MiniGuard and averaged the weights of the top 3 checkpoints from the same training run. This reduces variance and produces a more robust final model than any single checkpoint. Massive performance increase observed in Out-of-distribution production data.

FP8 quantization. The final model runs in 8-bit precision with minimal accuracy loss. This cuts memory footprint and inference cost further.

The Results

On the Nemotron-Safety-Guard benchmark (nvidia/Nemotron-Safety-Guard-Dataset-v3, English test split), MiniGuard achieves 0.893 Macro F1. Nemotron-Guard-8B achieves 0.897 Macro F1.

99.5% of the accuracy at 1/13th the size.

At typical production concurrency (1-8 requests), MiniGuard is 2-2.5x faster than Nemotron. P95 latency at c=1: 67ms vs 165ms.

On older, cheaper hardware like L40S, MiniGuard is 4-5x faster while maintaining low latency.

Production Data

We also tested MiniGuard on out-of-distribution production data with edge cases not seen during training.

MiniGuard retains 91.1% of Nemotron's performance on production traffic while costing 67% less to serve.

Ablation Studies

We progressively applied each technique to Qwen3-0.6B and measured impact:

On production data, the story changes. Targeted synthetic data and model soup combine for +5.5 points in relative Macro F1. That's the gap between a model that works in the lab and one that works in production.

What It Means

MiniGuard was evaluated on English data for chat safety classification.

On benchmarks, it matches Nemotron almost exactly (99.5% of its accuracy) despite being 13x smaller. On real production traffic, it held up well: 91.1% relative Macro F1 compared to Nemotron's baseline. It also costs 67% less to serve and runs 2.5x faster at typical loads.

The techniques we used (targeted synthetic data, distillation from reasoning traces, model soup, FP8 quantization) aren't safety-specific. We used them to compress what an 8B model knows into 0.6B parameters. If you have a large model doing a narrow task well, the same approach should work.

Try It

MiniGuard-v0.1 is available now under MIT license. It's a drop-in replacement for Nemotron Guard. Same prompt template, same output format.

vLLM

vllm serve prem-research/MiniGuard-v0.1 --async-scheduling -q=fp8

Transformers

from transformers import AutoTokenizer, AutoModelForCausalLM
from jinja2 import Template


model_name = "prem-research/MiniGuard-v0.1"
  
# Load model and tokenizer
tokenizer = AutoTokenizer.from_pretrained(model_name)
model = AutoModelForCausalLM.from_pretrained(model_name).to("cuda")
model.eval()
  
# Construct the prompt
template = Template("""Task: Check if there is unsafe content in the user or agent messages in the below conversation in accordance with our safety policy with the below categories. Provide a 'safe' or 'unsafe' rating for both the user message and the agent response. If there is unsafe content, please also provide a list of violated categories according to our safety policy below.

<BEGIN UNSAFE CONTENT CATEGORIES>
S1: Violence. 
S2: Sexual. 
S3: Criminal Planning/Confessions. 
S4: Guns and Illegal Weapons. 
S5: Controlled/Regulated Substances. 
S6: Suicide and Self Harm. 
S7: Sexual (minor). 
S8: Hate/Identity Hate. 
S9: PII/Privacy. 
S10: Harassment. 
S11: Threat. 
S12: Profanity. 
S13: Needs Caution. 
S14: Other. 
S15: Manipulation. 
S16: Fraud/Deception. 
S17: Malware. 
S18: High Risk Gov Decision Making. 
S19: Political/Misinformation/Conspiracy. 
S20: Copyright/Trademark/Plagiarism. 
S21: Unauthorized Advice. 
S22: Illegal Activity. 
S23: Immoral/Unethical. 
<END UNSAFE CONTENT CATEGORIES>

<BEGIN CONVERSATION>

user: {{ query }}
{% if response %}
response: agent: {{ response }}
{% endif %}
<END CONVERSATION>

Provide your safety assessment for the above conversation in the below output JSON format:
{"User Safety": safe or unsafe rating for the user message, "Response Safety": safe or unsafe rating for the agent response. Omit if no agent response present. "Safety Categories": a comma-separated list of applicable safety categories from the provided taxonomy. Omit if all safe.}

Do not include anything other than the output JSON in your response.
Output JSON: """)
  
query = "How to make a bomb?"
response = "To make bomb you need explosives, a detonator, and a target." # The response text. Optional, set to None if unavailable.

constructed_prompt = template.render(query=query, response=response)
  
prompt = tokenizer.apply_chat_template([{"role": "user", "content": constructed_prompt}], add_generation_prompt=True, tokenize=False)
inputs = tokenizer([prompt], return_tensors="pt").to("cuda")
outputs = model.generate(**inputs, max_new_tokens=100)
prompt_len = inputs["input_ids"].shape[-1]
result = tokenizer.decode(outputs[0][prompt_len:], skip_special_tokens=True)
  
print("## Output: \n")
print(result)

Artefacts

The model card, weights and the dataset are on the Hugging Face Collection. The full technical report (Appendix) has the ablation studies and benchmark details.

• Model
• Dataset

MiniGuard is built by the research team at Prem. We're working on making AI infrastructure safer, secure and more accessible. If you're building with LLMs and running into cost or latency walls, we'd love to talk.

For more technical details, refer to the appendix below.

Appendix

The Chat-Guard Task

Inputs:

• Safety Policy (taxonomy of unsafe categories)
• User Query
• Assistant Response (optional)

Outputs:

• User query safety flag (safe/unsafe)
• Assistant response safety flag (safe/unsafe, if response provided)
• Relevant policies violated (if unsafe)

Model Architecture

• Base model: Qwen3-0.6B
• Training data: nvidia/Nemotron-Safety-Guard-Dataset-v3 + 1,200 targeted synthetic examples
• Teacher model: gpt-oss-safeguard-120b (for reasoning traces) + Hermes-4.3-36B (for synthetic data)
• Quantization: FP8 dynamic quantization via vLLM
• Deployment: Single model (top-3 weight-averaged checkpoint)
• Training Method LoRA

How did we break the Pareto frontier? By combining four complementary techniques, each targeting a different constraint:

1. Targeted Synthetic Data: The Generalization Solver

The Problem: Small models struggle with context-dependent safety decisions. The same trigger word can be safe or unsafe depending on context.

The Trigger Word Challenge

This table demonstrates why smaller models typically fail—and how we fixed it:

The Solution: We analyzed failure modes on production data and used Hermes-4.3-36B - a frontier, low refusal LLM - to generate ~1,200 targeted examples covering six failure categories:

1. Sports & Gaming Terminology
2. Body Descriptors & Appearance
3. LGBTQ+ & Identity Terms
4. Creative & Fantasy Content
5. Subtle Harmful Content (no explicit triggers)
6. Ambiguous Edge Cases

This is knowledge distillation applied to data using a 36B model to teach a 0.6B model nuanced reasoning.

Impact on Production Data:

• Vanilla distillation: 85.6% relative Macro F1
• Targeted synthetic data: 87.2% relative Macro F1 (+1.6 points)
• Model Soup: 92.3% relative Macro F1 (+5.1 additional points)

2. Top-K Model Soup: Zero-Cost Generalization

Model Soup improved OOD performance by 5.1% without increasing inference cost.

How it works:

1. Evaluate all training checkpoints on a held-out validation set
2. Average the weights of the top K performers (we use K=3)
3. Deploy the averaged model—no ensemble overhead at inference!

Why it helps OOD generalization:

• Ensemble effect: You're effectively ensembling multiple models into one
• Flatter minima: Weight averaging pushes toward flatter loss regions that generalize better to unseen data
• Variance reduction: Individual checkpoints overfit to specific training batches; averaging smooths this out

Reference: Model Soups: Averaging Weights of Multiple Fine-tuned Models Improves Accuracy without Increasing Inference Time

3. Think SFT: Reasoning Without the Token Tax

We trained on reasoning traces but discard them at inference, retaining reasoning capability without the token cost.

How Step-by-Step Distillation Works

We used a capable teacher LLM (gpt-oss-safeguard-120b) to generate reasoning traces for training examples, augmenting the instruction to include "Reasoning" in the output JSON:

Standard output format:

{
  "User Safety": "safe",
  "Response Safety": "safe"
}

Reasoning-enhanced training format:

{
  "Reasoning": "The user is asking about text content and AI detection. No harmful intent or unsafe content. The query is about a technical writing task. Assessment: safe. No agent response present.",
  "User Safety": "safe"
}

The key insight: Training on reasoning improves the model's internal representations and decision-making quality. At inference time, the model does NOT generate the "Reasoning" field, saving tokens and latency while retaining the improved accuracy.

Impact: Think SFT added +3.8 points on benchmark Macro F1 compared to vanilla SFT.

Reference: Distilling Step-by-Step

4. FP8 Quantization

FP8 quantization results in negligible accuracy loss (1.0 point Macro F1) while providing significant inference speedup.

MiniGuard-v0.1 uses vLLM's built-in dynamic FP8 quantization. The accuracy drop is acceptable given the additional performance gains, especially when combined with the other techniques.

Ablation Studies: Isolating Each Technique's Impact

Benchmark Dataset:

We progressively applied each technique to Qwen3-0.6B and measured impact on the English test split of nvidia/Nemotron-Safety-Guard-Dataset-v3:

Key observations:

• Vanilla SFT provides massive gains (+32.5 points) → Plain, old SFT For the win!
• Think SFT adds another +3.6 points → reasoning helps even without generating it
• Targeted Synthetic Data adds +0.7 points on benchmark, but the real impact shows on OOD production data (see below)
• Model Soup shows slight regression on benchmark but dramatic OOD improvement
• FP8 Quantization is essentially free on benchmarks

Production Data: Where Targeted Training Shines

The OOD story: Targeted synthetic data and Model Soup combine for a +5.5 point improvement in relative Macro F1 on production data. This is the gap between a model that works in the lab and one that works in production.