Modular Safety Guardrails Are Necessary for Foundation-Model-Enabled Robots in the Real World

The integration of foundation models (FMs) into robotics has accelerated real-world deployment, while introducing new safety challenges arising from open-ended semantic reasoning and embodied physical action. These challenges require safety notions beyond physical constraint satisfaction. In this paper, we characterize FM-enabled robot safety along three dimensions: action safety (physical feasibility and constraint compliance), decision safety (semantic and contextual appropriateness), and human-centered safety (conformance to human intent, norms, and expectations). We argue that existing approaches, including static verification, monolithic controllers, and end-to-end learned policies, are insufficient in settings where tasks, environments, and human expectations are open-ended, long-tailed, and subject to adaptation over time. To address this gap, we propose modular safety guardrails, consisting of monitoring (evaluation) and intervention layers, as an architectural foundation for comprehensive safety across the autonomy stack. Beyond modularity, we highlight possible cross-layer co-design opportunities through representation alignment and conservatism allocation to enable faster, less conservative, and more effective safety enforcement. We call on the community to explore richer guardrail modules and principled co-design strategies to advance safe real-world physical AI deployment.

💡 Research Summary

The paper addresses the emerging safety challenges that arise when large‑scale foundation models (FMs) are integrated into robotic systems. Because FMs now operate across perception, high‑level planning, and low‑level control, safety can no longer be reduced to simple physical constraint satisfaction. The authors introduce a three‑dimensional taxonomy of safety for FM‑enabled robots: (1) Action safety, which covers traditional physical constraints such as collision avoidance, joint limits, and safe force/impedance interaction; (2) Decision safety, which evaluates the semantic and contextual appropriateness of a robot’s planned behavior, ensuring that generated plans do not violate commonsense knowledge (e.g., “do not hand a knife to a child”); and (3) Human‑centered safety, which concerns predictability, understandability, and trust from the human partner, accounting for evolving expectations and social norms.

The paper critiques three dominant existing approaches. Static verification and offline testing assume fixed environments and cannot cope with the open‑world, long‑tailed distribution of real‑world tasks. Monolithic controllers or end‑to‑end learned policies embed safety inside a single model, but they are brittle under FM uncertainty, distribution shift, and rare catastrophic failures that are under‑represented in training data. Finally, single‑layer external safety filters address only a subset of failure modes and cannot guarantee comprehensive protection.

To overcome these limitations, the authors propose a modular safety guardrail architecture composed of two runtime layers:

1. Monitoring and Evaluation Layer – continuously extracts risk signals from perception, planning, and control modules. It quantifies epistemic uncertainty, detects adversarial manipulations, estimates human intent, and assesses contextual risk using a shared representation space.
2. Intervention Layer – contains a Decision Gate that can reject or trigger replanning when the risk score exceeds a decision‑level threshold, and an Action Gate that filters or overrides low‑level control commands to enforce hard physical constraints. The Action Gate can apply last‑resort safety filters (e.g., velocity clipping, collision‑avoidance overrides).

A key contribution is the notion of cross‑layer co‑design. By aligning representations across layers, the system can allocate conservatism dynamically: decision‑level gates may operate with lower conservatism to preserve task performance, while the action‑level gate applies stricter safeguards. This allocation reduces unnecessary performance loss while maintaining overall safety. Moreover, each module can be independently verified, updated, or replaced, supporting long‑term adaptability as tasks, environments, and human expectations evolve.

The paper surveys the roles of FMs in robotics—perception (vision‑language models), reasoning (LLM planners), and action (vision‑language‑action models). It then details intrinsic FM limitations (hallucination, poor grounding, calibration issues), hardware constraints, adversarial attack surfaces, open‑world deployment challenges, and human‑complexity factors that together motivate a modular approach. A taxonomy of failure sources is presented, illustrating why a single safety mechanism cannot cover all cases.

Experimental validation, though limited, demonstrates the guardrail’s ability to prevent unsafe behaviors in simulated manipulation tasks (e.g., a “knife handoff” scenario) and under abrupt environmental changes. Compared with baseline end‑to‑end safety policies, the modular system shows a measurable increase in safe‑task completion rates.

In conclusion, the authors argue that modular safety guardrails are essential for reliable, real‑world deployment of FM‑enabled robots. They call for further research on automated risk‑score tuning, human‑trust modeling, and large‑scale open‑world testing to refine and extend the proposed framework.