Project AIR
vindicara.io / blog
View source · MIT $ pip install projectair
Engineering

An NVIDIA-backed second opinion, signed

June 10, 2026 · Kevin Minn

Vindicara is a member of the NVIDIA Inception program, and Project AIR ships real NVIDIA integrations today. Not a roadmap slide: code on PyPI, runnable with one API key. This post explains what those integrations do and why a safety classifier's verdict belongs inside a forensic evidence chain, not just in a log line.

The problem with verdicts that vanish

Safety rails make decisions constantly: this prompt looks like a jailbreak, this output violates content policy, this conversation drifted off its allowed topic. In most stacks those verdicts gate the action and then disappear. Six months later, when an auditor asks why the agent was allowed to proceed, the answer is a shrug. The rail did its job in the moment and left nothing for the record.

Project AIR treats every verdict as evidence. Whatever the rail decides, the decision itself is captured as a signed, hash-chained record: what was checked, what the verdict was, what happened next, and which human cleared it if a step-up was raised.

What ships today

NeMo Guardrails capture

instrument_nemo_guardrails wraps an existing NeMo Guardrails deployment so that every guardrail decision lands in the AIR chain as a signed record. No change to how the rails work; they simply stop being amnesiac.

NemoGuard NIM classifiers as detector findings

NemoGuardClient calls NVIDIA's NemoGuard NIM microservices, JailbreakDetect, ContentSafety, and TopicControl, and records each verdict as a detector finding. Two of AIR's 16 detectors exist specifically for this: AIR-05 scales NemoGuard safety classifications by severity, and AIR-06 cross-corroborates NemoGuard verdicts against AIR's own heuristic detectors.

That corroboration is the point. When an AIR heuristic and an NVIDIA-served classifier independently agree that a prompt was a jailbreak attempt, the evidence chain no longer says "our detector flagged it." It says two independent systems agreed, and both verdicts are signed into the same tamper-evident record.

Any NIM endpoint, instrumented in-process

Any OpenAI-compatible NIM endpoint works through instrument_openai, so inference served from build.nvidia.com is captured the same way as any other provider. This is verified by a network-gated end-to-end test and a runnable demo that needs only an NVIDIA_API_KEY.

pip install projectair
export NVIDIA_API_KEY=nvapi-...
python examples/nim_demo.py

Framing discipline

NemoGuard rails are inference-backed safety classifiers. They sit alongside AIR's 16 detectors (10 OWASP Agentic, 3 OWASP LLM, 3 AIR-native) as a second opinion, not a replacement. And they are distinct from ASI10, which is declared-scope Zero-Trust enforcement rather than anomaly detection. Precision about what each layer does is half the value of an accountability product.

Where this goes

The integration we are building toward binds NVIDIA's hardware root of trust into the same evidence chain: an NRAS-signed GPU attestation token recorded inside the Signed Intent Capsule, so the record proves not only what an agent did and who authorized it, but that it ran on verified NVIDIA confidential-computing hardware. That work is on the roadmap and labeled experimental until a reference workload runs end to end.

Try it. The SDK and CLI are MIT-licensed and on PyPI. pip install projectair && air demo runs in under a minute.

Get started

© 2026 NVIDIA, the NVIDIA logo, NeMo, NemoGuard, NIM, and NVIDIA Inception are trademarks and/or registered trademarks of NVIDIA Corporation in the U.S. and other countries.