LLM firewall vs context firewall: what is the difference?
An LLM firewall usually screens prompts and model outputs for unsafe content, policy violations, or sensitive data. A context firewall controls the agent workflow around the model: which context sources are allowed to influence which actions. For simple chatbots, an LLM firewall may be enough. For agents with tools, RAG, MCP, memory, browsers, APIs, or customer data, source-to-sink enforcement is the stronger boundary.
- An LLM firewall screens prompts and outputs around the model.
- A context firewall governs the whole agent workflow: retrieval, memory, tools, egress, approvals.
- For tool-less chatbots an LLM firewall can suffice; agents need source-to-sink control.
- The two are complementary, not mutually exclusive.
Different boundaries
An LLM firewall sits at the model’s input and output. A context firewall sits across the agent loop and decides whether each class of context may influence each action. See what is a context firewall.